From time to time, there was an "excited" email sender asking me some advice to start my career in the security industry (computer, information, network …). Great! We need more passionate, creative, and hard-working people to make our technology environment more secure.
With sudden hacking in our country this year (typically the Vietnam Airlines incident). Businesses are probably considering investing more "aggressively" into security. And this is also a profession that brings quite a financial source.
NOTE: It's not like movies.
Working in the security industry is not like what you see in Hollywood. I'm EXTREMELY watching the hacker-related movies to "delusion" and entertainment, but my daily work (according to my experience) is not as dense and "sexy" as on the screen.
However, this is still a very important area, challenging, and equally worthy.
There are no standards.
Security is a very broad, specialized, and pragmatic profession. Currently the market is in high demand for those who can design and build security systems, who (find ways) to break the system, those who (seek) to penetrate, … Follow me, when You have followed this industry, there will be no single preset path. Maybe this will change when the field of security grows further, but this is also very unlikely. Unlike other professions that require a degree (such as law or medicine), this profession is both free and scary.
You will also have the advantage if you have a lot of experience and knowledge of applied computer science, or working principles of computers and software. Much of the "applied computer science" knowledge is about solving problems with abstract classes, and security often revolves around false assumptions about these abstract points … and then finds a way to handle it well. Best.
I myself, with a degree in computer science from a public university, gained a lot of the above knowledge. Some useful topics for me are: operating system, network, computer structure, and complier. Moreover, I only take courses that I like (eg digital signal processing, biomedical engineering, artificial intelligence, etc.), and join student / internship groups to Learn more about network security, privacy enhancement technology, and security applications (web, client).
You will also have a great advantage if you understand how to use human technology (users, customers, …). If I can go back to college (I don't care), I will not hesitate to register for classes in psychology, sociology, …
Security industry is diverse, but how diverse? I have met many experts, some people have a "traditional" degree (computer engineering, computer science, math, …), there are also people who have "ungainly" degrees (chemistry, erection). movies, psychology, design, …) and there are those who quit school before getting a degree.
As you can see, there is also a solution to the question "What does security need?" Both, and you should not limit yourself to a degree problem. Yes, it's good, but if you don't, you don't need to worry.
Stop reading, do it!
Any job, you should accumulate practical experience as quickly as possible. So, you can understand more about your interests, strengths and future orientation. You will also understand what day a job is, how it works, … One of the most useful experiences I have ever had is an internship that makes me … hate it, ever since. There is more motivation to jump to another direction.
Regarding how to get experience, I myself don't have a clear answer. You can participate in seminars, job fairs, apply for low-wage internships (or without pay if you really like and want to learn). This event leads to another event, go from low to high, work and study hard, you will soon reach your goal.
The security experts I have met, everyone is actively writing code. Writing code will give you the experience of writing software, including unintentional security errors (and also inevitable).
If you are not sure where to start with your project. You can also fix bugs in open source projects. Everyone likes the guys / girls fix bugs! The project owner will thank you, and this is a great way to find practical experience, which will help you get acquainted with future work.
Take the time to find bugs in the software, learn how to use debugger, network scanner, web debugging proxy, and software fuzzer. Find playgrounds for hackers (at any level). In order to be self-buffering, English is also very important.
At the same time, there are a lot of challenges for you, both a good environment and a reward for you to work harder. There are many cases, you hunt bugs for Chrome and Google , get a lot of bonuses, so move on to switch to the hunter bug.
Currently in Vietnam, there are not many places gathering like DEFCON so that the "talented men" can express themselves, partly because the community of security-hackers in our country is still quite dispersed and "hidden". If you are quite English, you can " spread " to international communities like SigMil , or some quite popular books and magazines . Best of all, you learn the most from your colleagues, their expertise, the difficulties they encounter, or just the idea of another season. Knowledge sharing is important because:
- This is an effective and necessary way to get the best security solution (or mistake to avoid) in an organization or project.
- When I personally prepare for a good presentation for the documentation, I often discover many "hidden corners" of the problem, thereby learning more new things.
- I also "enlightened" many things from the questions of the "difficult" comment of the audience.
Communication is also important.
With the security work, you will often have to explain complex, high-tech problems to many subjects with expertise, and different vocabulary. You won't have a clear scale when you have to describe the severity of the problem, you don't have anything "spectacular" to show when you want to "show off" your latest solutions. You also have the task of keeping people calm, and always focused, despite being in a state of "burning fire." Thus, you need to have more communication skills, more specifically, skills to explain and negotiate.
Prepare to work hard, sometimes failing.
This one is not sure if you know (but it is important to repeat)
Security is challenging work. You must continually learn new knowledge, because the technology picture is always changing, and the method of protecting those technologies must also grow (and often at a slower pace). The "risk" side, with abundant time and resources, is also able to cope very quickly with new security.
Security is pressure work. The village must deal with ambiguous issues, lack of comprehensive solutions, limited data, and existing threats to human safety.
It is very difficult to evaluate success in security, and in my opinion, when it fails, it is very clear. And with physical technology, we often care first about risk reduction, and there's no inviolable "bulletproof plate".
Let's try to stay optimistic.
As you can see, when you choose to follow the path of security, you must face countless troubles. The follow-up of technology and innovation is almost impossible. Typically, the buffer overflow vulnerability has been known for ten years, but until now (2016) has been exploited by hackers as usual. Therefore, you may also hear people say security is "yes or no", and hackers are increasingly prevailing.
In fact, the result is cruel, but keep the spirit of positive optimism, and think about what technology has done for us, the impressive things! Compare the change that technology (and security) has been bringing us for decades. Technology is obviously not perfect, and it will never be perfect. But it will continue to grow and do the more incredible things in the future.
Open your mouth and ask.
Although there are "unfortunate" people who meet "you guys", don't be discouraged. Everywhere there are many xenophobic components, "cool", and security is no exception.
Most of the successes I have achieved are thanks to the support, advice and help of many people who have gone before, who have now become peer friends. Open your mouth doesn't mean you don't fit in this industry.
If you have questions, just ask. But you still have to work hard, and create the best conditions for others to easily help you. Almost every expert is busy. So if you write a short, clear email, just enough information, your ability to get answers will be higher.