So you want to be a Security Practitioner

So let’s say you want to get into security, some people ask me. See, security is a very interesting field. There is so much to learn, there is often unexpected excitement, you get to understand how things really work by taking them apart, sometimes destructively, and in general improve the state of the connected universe. You get to discover things about a system that the authors did not know about.

There are often skills that are common to other professions such as programming, network analysis, and system architecture.

There are other skills, though, that seem rather peculiar. One is the ability to take the bits of a binary program or operating system, and rip it apart and see what makes it tick, and discover bad things about it before attackers do. Another skill is analyzing an application, such as a web application, by analyzing how it responds to external stimuli.

How do I get there?

The best thing is to grow up on a farm, preferably a northern plains dryland wheat farm. You will learn many useful skills, particularly in the area of resourcefulness. There is barely enough water to make a wheat crop, and with that, you have to leave the land idle for a year, planting only half each year, so that the land has enough water. And the growing season for wheat is approximately three days longer than the actual growing season.

Then there are thunderstorms, which come with hail, which can ruin a crop in less than half an hour.

So learning to cope with that will put you on a path to becoming a diligent, resourceful security practitioner.

What should I do next

Then next thing to do is to study ham radio. This will put you in touch with lots of technology–some of it precursors to computers. If you really get into it, building homebrew rigs, putting up towers, you might then be inclined to pursue an electrical engineering degree, perhaps at a school in the midwest.

While you are banging your head on static fields and dynamic fields and control system theory, you would do well to pick up some important bits of engineering philosophy, such as a problem-solving attitude.

While you are there

You might, during you engineering courses, pick up computer programming as a side interest. This will be quite interesting, as there is much yet to be done in the field, and much engineering to be done by software. Just remember to finish your engineering education, even if you get a part-time/full-time job in your senior year.

Get a job in a startup in the medical field

Next up is to be the first employee of a medical startup that requires intense real-time programming, almost entirely in assembly language.

While you are doing that, it is helpful to discover compilers and how they work. This ends up being a combination of many important software engineering components that will server you well in your chosen profession.


Building a compiler is a very instructive exercise. There are many interesting subproblems.

First there is the parsing task–breaking up a the source code into tokens. While doing that, some of the tokens are keywords, and some are symbols. In either case, you need to build a proper symbol table that has appropriate information and is not too slow.

Once the parsing is done, you need to put tokens together in phrases then into sentences to form a parse tree or equivalent. From the parse tree, you can then generate machine code.

You might take up the challenge of generating good machine code that an assembly language programmer would be chided for writing–it is inscrutable.

Now a step into security

In a diversion, you might check out an invitation to chat with a small security firm, and be accepted, after a technical test.

But seriously

This is how I got into security.

I’ve read many blog posts about The Proper Way to get into security, whether it be through particular classes, or certification, or unpaid internships.

I have also seen rampant criticism of the career of the CISO of Equifax after their massive breach because she had a music degree.

The fact of the matter is that there are many paths to a career in security. Mine is just one. Others include a music degree (held by the famous security researcher Mudge (Peiter Zatko) who has a music degree from Berklee.

Other paths include anthropological forensics, hacking computers while in high school, a degree in criminal justice, regular programming degrees, vegetarian cook, liberal arts degrees, specialized information-security degrees, math degrees, and many others.

This is a good thing, as the security profession needs a rich diversity of talents and views to properly counter attacks and defend things and people connected to the internet.

What does it take

In my experience, what works is a deep interest in the field and activities of security, and a willingness to learn. A lot.

The other talent that may be hard to describe or measure is the ability to see things out of the ordinary. Such discoveries are often signaled by “Gee, that’s funny.” This can lead to a chain of discovery that eventually leads to a serious flaw in an important piece of software, or a tiny blip in a network log that leads to understanding an intrusion.

Free resources

There are many free resources for investigation and learning.

One very interesting one that has led to at least three high-level careers that I know of is Crytopals. This site presents a number of self-guided exercises in which you learn to break cryptography. Things that you might not have thought could be broken. Check it out.

There are others on the net such as OWASP, SANS, Pluralsight and many others.