A lot of people ask me how I got into InfoSec, so I decided to write a blog post about my journey. I wasn't always interested in InfoSec, but it quickly became something I was quite passionate about. This is Part 1 of a 2 part blog. I want to provide as much detail as possible. Hopefully I can help a few readers through my experiences.
I always used the computer growing up, whether it was to play desktop games, chat with strangers online or create custom MySpace layouts. I spent a lot of time after school learning about HTML/CSS, photoshop and how websites worked in general. It was a hobby but it wasn't something I considered doing for a living.
I was often bored in high school, I did the work but it was boring and I didn't really feel like I "fit in" so I dropped out my senior year. I got my diploma through an "adult" high school and decided to go to community college for criminal justice. After I got my associate's degree in criminal justice, I decided to pursue a bachelor's degree in database administration.
I was pretty anxious to enroll in a STEM program because I knew my classes would be predominantly men. It was intimidating, but I was excited to start learning. I took classes on architecture and operating systems, networking, object oriented programming and systems analysis & design. There were hands on "labs" where we had the opportunity to work with a partner or in groups, so I began to make friends with my classmates through the weeks, months and years. One of my colleagues was rather nonchalant about school, so he often spent time working on other things in class.
One day, he showed me the Linux distribution for penetration testing. Yes I'm talking about Kali Linux. People have this weird presumption that you're taught about everything in college, which couldn't be farther from the truth. I had never even used Linux up until that point, but I was intrigued. He showed me how to set up a fake WAP (Wireless Access Point) for our classmates to connect to. I thought this was the stuff you only saw in movies, but I loved it. I decided to switch my major from database administration to information security and I never looked back.
I researched pathways into information security and saw that a lot of people started in help desk technician roles. I started applying for jobs before I graduated with my bachelor's degree and landed a position with a company that provides hosted desktop solutions, including Microsoft Office and Exchange, for healthcare providers. I cannot emphasize the crucial role that my experience in help desk played in my career.
The majority of my calls involved password resets, user access provisioning, printers or networking issues. This is where I learned the criticality of documentation. Document times, dates, names and issues/outcomes. Document everything. I also learned important soft skills that enabled me to build relationships with our customers and other teams. When people have enjoyable, pleasant experiences with you they are happy. As painful as it may be sometimes, your job is to serve the customer, which may not always be the end user.
I decided to pursue security certifications because the InfoSec program I had enrolled in only provided 4 core InfoSec classes. I researched entry-level security certifications and came across the CompTIA Security+ and ISC2 SSCP certifications. I scheduled the certification exams a month apart from each other and studied 2-4 hours a day for approximately 6 weeks. I definitely believe that the certifications opened doors for me.
I started speaking with the members of the InfoSec team after I got the certifications. I asked my manager if I could work with them for an hour a day and he agreed. I learned about anomalous behavior, firewall rules and whitelisting. I got to use tools like Bit9, Carbon Black, Palo Alto and Cylance. I looked forward to that hour every day.
I got bored of resetting passwords, adding users to groups and adding websites to "trusted sites" really quickly. The networking team was short-staffed, so I took the initiative to help them with their work. I learned fundamental networking in college, but I was finally provided with the opportunity to do things like crimp cables and deploy switches and routers. I got to go on-site to troubleshoot networking issues. I took every opportunity to learn as much as I possibly could. I encourage you to do the same throughout your career.
Eventually, I hit a peak. I was told there would be no positions in InfoSec anytime soon. I asked for a promotion to the networking team and was told that I needed to get the CCNA certification. It was disheartening to say the least because people on the networking team didn't have the CCNA, but it was a requirement for me. Nonetheless, I started studying. I learned how to configure routers and switches (securely) and create VLANs. It was a lot. However, I think that learning networking is integral to understanding InfoSec so it was for the best.
I decided that I might have opportunities elsewhere so my job search began. It wasn't until I began working at my next job that I would learn how to create an information security program from the ground up, including writing policies, performing risk assessments and learning to use various security solutions and platforms.
I am going to wrap up Part 1 of "My Journey into InfoSec." If you made it this far, thank you so much! I will be talking more about the path I traveled into InfoSec.
If you enjoyed this blog, please buy me a coffee. https://www.buymeacoffee.com/cassiecage