One of the most common questions I get asked is “How can I become an information security professional?”. These days, it seems that a ton more people want to be in the “business” of information security. I get the question so often, I thought I would write this post as a quick and easy way to respond.

Are You Serious?

The first response is a “gut check”. Are you serious that you want to be an infosec person? Do you even know what you are asking? My suggestion is 2 steps. Number 1, read a basic information security guide (not Hacking Exposed or something on an aspect, but something more general like the ISO standards). Number 2, invest in your career option enough to buy a few coffees or beers and ask a couple of security folks you know of and trust to sit down, one on one with you for an hour chat. Talk about that person’s career, what day to day security work is like in their experience and what they think about your ideas for moving forward. If you can’t or won’t invest in these basic steps, then quit now and choose another career path. Security work is all about research, reading, guidance, networking and conversations with other humans. If you can’t do these toddler steps, then forget running with the big dogs and find another pack.

Get Serious, Quick!

Step 1: Knowledge boost: Start to read every single security book you can find. Listen to podcasts, read web sites, subscribe to mailing lists. Read RSS feeds.

Step 2: Find a way to contribute: Work on an open source security project. If you can’t code, then write the documentation or contribute to testing. Start a website/blog and start to aggregate or gather other security news. Wax poetic on what you think of certain topics. Think of this part as turning knowledge into wisdom. It is where the rubber meets the road and where you will encounter some pain, humiliation and grief, but it is another form of “gut check” to make sure you are ready to be in infosec.

Step 3: Build a lab & practice security skills: Build a lab. Make it out of old hardware, virtualization systems, Live CD’s, etc. Then hack stuff. Secure stuff. Apply settings, scenarios, access controls. Shop at eBay, garage sales, thrift stores or Walmart to cut the cost down. Be creative and pragmatic, both are essential security skills.

Step 4: Brand yourself: Once you have some wisdom and insight, then update your resume. Build a personal brand. Read books by Seth Godin and Guy Kawasaki to learn to do this. Learn how to separate yourself from Joe Six-Pack and how to turn your security experiences with the above projects into valuable differentiators that open doors for you to get that job you wanted. Is it work? Yes. Is it hard work? Yes. Does it take time? Heck, yes. Is it worth it? If you get what you really want, heck yeah!!!!

It’s OK to Turn Back

If, at any point during the above steps, you decide you are not interested enough to continue, then don’t. Security is tedious, hard work. Most of it is COMPLETELY NOT SEXY and has nothing to do with Swordfish, Hackers or the Matrix, no matter how much you want to be Neo, Cereal Killer or Angelina Jolie. Security is mundane, boring, full of science, analysis and research. If you want to be great at it, you also need to understand business, marketing, math, human resources, education, more marketing, sales, basic programming, public speaking, more marketing and oh, yeah, more marketing. Why so much marketing? Because, believe it or not, people need to be sold on being secure. That is the largest irony of the job. You have to not just identify how to make them secure AND teach them how to be secure, BUT you ALSO have to SELL them on the idea that security is worth their investment of time, energy and resources. It’s not that they don’t want to be secure, it’s that humans are REALLY BAD AT MAKING RISK DECISIONS. Keep this in mind as your security career progresses. It is a handy meme.

Are there Shortcuts?

Maybe, if you wanna be average. More than likely not, if you wanna be truly GREAT at what you do. Everything in life has a price. The good, the bad and the security career. Paying that price is a part of the reward, you just might not know it yet. Pay the price. This is one system you really don’t wanna “hack” to get at the “easy way”, it makes for a lot of pain down the road when you look foolish.

What About Certifications?

I am not a believer in certs. I have never made any secret about my position. I DO NOT HAVE MY CISSP NOR AM I LOOKING TO EVER HAVE ONE. Certs are NOT a good measure of experience, work ethic or intelligence. They represent all that I hate about the security industry and the idea of doing the minimum. This is not to say that you should not pursue them or that they are not valuable, it is just my belief that the IT industry puts way too much stock in certs. They believe that most every CISSP is a real “security person” and knows their stuff. I have met plenty who do not. I have met plenty who I would not let manage my security. I have met some that I would, as well. The same goes for all certs (MCSE, CSA, etc.). Certs are just a BASIC qualification mechanism, no more, no less. Experience and what you have done in the past speak volumes more to me, and anyone I would want to work for or with, than a cert. Period.

I hope this answers those basic questions about how I think you should move toward being a security professional. I hope you do choose security as a career, if you are willing to invest in being great at it. The world needs more great security people, but we also need less inadequate security professionals. The industry has its charlatans and fakes, but it also has some of the best people on the planet. This industry has been good to me for almost two decades. I have met and made friends with some of the most talented, fascinating and warm people in the world. I am very blessed and very grateful. I hope you will be too. Buy me a cup of coffee if you want to talk more about it. I promise to try and help you figure out if this is the way you want to go, if you are willing to invest in yourself first BEFORE you seek my input. More than likely, you will find the same to be true for other security experts too. They just might like cheaper coffee than I do…. 🙂

First of all, I think one of the major reasons that Windows 7 will not “kill Linux on the Desktop” is cost. Quite honestly, unless they are going to make Windows 7 free, it might be popular enough to stall the spread of Linux on desktops in the developed world, but the rest of the world (the parts of the world where the next IT explosion will originate from because it is not already saturated) can not afford to purchase the licenses and will continue to grow Linux as their leading OS. How important is Linux in the emerging world? Google for Linux news in Brazil, India, the Middle East and find out. Linux has become BOTH the server AND desktop OS of choice in many of those areas. In addition, schools are teaching Linux as part of the curriculum, so that means additional armies of Linux users will eventually come to bear on the market over the next decade. That is likely a force that can not be derailed.

Second, I believe in open source. While the majority of users could care less about source and will never tweak their code, there are a core group of code geeks who will tweak stuff and play with things. These geeks will create improvement in the Linux desktop experience. The experience has been slowly and steadily improving over time. Don’t take my word for it, go back and download a VM of an early Ubuntu release and compare it to today. Ubuntu and the other open source Linux-based OS projects CONTINUALLY release new enhancements and upgrades that impact user experience. What releases have there been since Windows 98? XP, Vista and now Windows 7. How many releases of Ubuntu and other desktop environments have there been since the release of Windows 98? Basically, ALL OF THEM. Not to mention the fact that Ubuntu and the Linux movement isn’t dead. Just as they incorporated and learned from the powerful features of OS X, they will learn from, emulate and advance the experience in the future based on Windows 7 too. They will likely release a lot of changes over the next couple of years, even as Windows 7 reaches its mass market plateau. Likely, as they learn from and advance beyond, the “stall” will end and Ubuntu and the Linux desktop “movement” will experience further growth. Face it, the model is just more efficient.
Third, the idea that users choose desktop OS solely by features is ludicrous. The majority make their choice based on a combination of ease of use, brand familiarity, stability and PRICE. In the developed world, price might have less to do with it, and it is likely that ease of use and branding “what I use at work and already know” is more likely the top considerations. Followed by stability and price. But even in those decisions, Linux has made a huge improvement and at such a rapid pace THAT IF IT CONTINUES AT THAT PACE, it will easily surpass Windows in terms of everything but branding by the time Windows 7 hits its plateau of saturation. Business adoption is the key here. The more businesses that put Linux on the desktop, the more people get familiar and begin to use it at home. Add to that equation the coming army of global young people that have been using Linux as their base of education and you see a rising tide. I think of Windows 7, not as death for Linux, but as the last Microsoft desktop OS that will enjoy HUGE MARKET OWNERSHIP. I see a continued splintering of the desktop into Windows/Linux and OS X, with easier sharing, integration and cross platform collaboration in the future. Far from death, I see a market splinter where we reach some form of mutual equity, give or take small evangelic groups of BSD/Other/Netware+/Blah blah blah that ebb and flow. To demonstrate my point – I am sure Guy Kawasaki has no plans to switch from OS X to Windows 7 (nor do I) and I am sure Theo de Raadt is NOT going to dump OpenBSD anytime soon to become a Windows 7 user. Hardcore zealots will likely remain, but the majority of folks in the new “global economy” are likely to keep non-Windows OSs alive for a long long time.
Next is the subject of netbooks. A lot seems to be riding on them in these OS wars. The problem is, I am just not convinced that netbooks will remain a dominant force in the market place. They are kind of on a “computing land bridge” between the hand held devices that will evolve from smartphones and the real functionality and usability factors of a notebook/laptop. Given the reviews I have read about netbooks, it seems plausible that they may get swallowed into the sea as both sides of the land bridge exert pressure on them. Most folks say that they are just too physically small and lack core power to be true notebook replacements, and as the smartphone evolution occurs, I just don’t see how this remains a viable long term form factor, even in the emerging world. Thus anything that bets on netbooks in the Windows/Linux wars seems like an unsafe long term bet to me. (Note, I just bought a Linux-based EEEPC to try, but have not used it yet.)
So as not to leave security out of this, a lot depends on how well Microsoft did with security in Windows 7. (I have not yet used it myself, so only speculation and review based opinions here.) They made significant improvements in Vista and additional improvements are likely here too. Linux continues to have security issues as well, though, they too seem to be improving (without any real metrics research on my part). All operating systems though, face high levels of additional risks from all of the add-on apps and software users use on desktops. Part of what I think will be important in the future of security of desktop systems is how they minimize the damages that a user level compromise can do. How do they prevent escalation? How compartmentalized do they keep data? What detective and responsive controls do they build in to help compensate for bad user decisions? These are key elements in the future of desktop operating system selection. We all know, no matter how many posters we hang and meetings we hold, users continue to choose the dancing gnome or hamster bowling over security. They will click on bad links, visit naughty sites and make incredibly bad decisions. We just have to be ready for them and identify ways to minimize the risk those bad decisions pose to our information assets. What OS platforms would seem more capable of rapid evolution here? It seems to me that the myriad mindset and crowd-source is much more likely to create improvements here in the short term, but you decide for yourself. Bottom line, the future of the desktop operating system is in “compromise tolerance”. You can quote me on that one.
So, there you go, my opinions on the future of Windows 7 as Linux desktop killer. Maybe you agree, maybe you disagree. Let me know. Maybe I am totally wrong and I will be completely surprised 10 years from now. I don’t think so, but it has happened before. As always, your mileage and paranoia may vary.