Many people ask me for career advice on how to “get into security”. I have a couple high level ideas for all of you, I hope this article helps.

Mentorship

Once you have gotten to know some people, try to find a professional mentor. This is a person who can help you steer your career, and has your best interests at heart.

Remember when you ask someone, you are asking them for a gigantic gift — their knowledge, time, trust, resources and kindness, and you should not take asking them lightly.

Also, if you do take someone on as a mentor, remember to appreciate what they do for you. And if they ask you to do something like “read this book” or a blog post, or something else reasonable, actually do it. They can’t teach you if you don’t follow any of their advice.

I encourage you to use the #cybermentoringmonday hashtag to find a mentor.

Communities

Join the community(s) that you want to be a part of. For example, if you want to learn about the security of software and applications, join OWASP. If you want to “hack all the things” join OWASP and also join your local DefCon chapter. If you want to learn about Risk Analysis, join ISSA or ISACA. And if you’re not sure, go to all of them. :)

Networking

Meet people and network, but don’t just ask for jobs. That’s not networking, and it’s really unattractive if the first time someone meets you they immediately ask you to be their reference, or recommend them, when you are in fact, a stranger. Meet people, know them, talk to them, then tell them you are looking. People help their friends.

Open Source Contributions

If possible, contribute to an open source project, so that you have work to show off. If you are learning how to use security tools, write to a project owner on GitHub and ask if you can scan their app and report some vulnerabilities. Or just spin up your own copy of it, and then add it to their bug list. It’s a great way to learn, and then your username is all over. :)

Try to contribute back to the community and field. If you figure out a cool new thing, write a blog post about it. If you made your own script to do something that makes your life easier, open source it. If someone asks if anyone can review their talk or post or whatever, offer to help. Give back.

Bug Bounty Programs

Participate in bug bounty programs, like the one for my employer. This is a chance for you to try to hone your skills, and perhaps make some money while you’re at it.

At Work

Offer to do security tasks at your office (assuming you are currently employeed in IT). When I wanted to switch over from Dev to Sec I just kept reporting security problems I found, offering to remediate all the security bugs, and offering to be on the security projects. And one day they gave me a job. :-D

and finally…

Never Stop Learning

The last idea on this list, and something we should all be doing, is teach yourself. All the time, not just when you are trying to get into the field. There are quite a few amazing free resources on the internet, as I previously blogged about.

If you want to continue to develop your skills, check out WeHackPurple Academy’s NEW course, Application Security Foundations taught by yours truly! There is also a lot of awesome content to subscribe to for only 7$ a month!