Career talk at SpoofIT

I gave a talk a few weeks ago at SpoofIT, the IT Security club at UOIT.  I referred to a number of links and resources during the talk but haven’t had a chance until now to post a list of them.  I’ve also written up a little summary of the talk for those who missed it.  I owe a huge debt of inspiration to James Arlen’s talk at The Last Hope, which you can download at the hackermedia archive or on bittorrent at the HOPE tracker.  It’s the one titled “From Black Hat to Black Suit”.  He’s been doing this a lot longer than I have, so go watch his talk too 🙂

1. figure out what you want out of a career in information security – technical mastery, a cushy job, organizational power?  There are lots of reasons to want to work in this field, but you should put some thought into what your reasons are.
2. do your networking, especially while you’re still in school.  Build your network before you need it.  Go to user groups (SpoofIT, TASK, OWASP, UU, GTABUG, Windows-related ones I’ve never heard of, etc.).  Go to conferences – you can do it on the cheap, pay your own way when necessary.  Participate in the appropriate professional organizations (but choose wisely).  Take advantage of the network you have by default through being at school – cultivate those relationships.
3. get your big break.  Build an online “brand” (barf) even if it seems cheesy (see this blog?  That’s what I’m trying for here 🙂 ).  Remember that the people hiring you will Google you and do things like compare your LinkedIn to your paper résumé.  They will read your blog and Twitter and look for red flags.  This can be a good thing – I don’t try to hide that I’m a feminist, because I don’t want to work anywhere that would not hire me based on that.  Lock down the privacy settings on your Facebook, though.  Volunteer.  Check out Hackers for Charity (when Johnny gets the site back up) and TechSoup.  Work HARD on your soft skills.  Learn to speak fluent Human, not just fluent Geek.  But be careful, and pick the organization you have your big break at carefully.  Judge organizations harshly.  Read the Mythical Man-Month.  We’re still making many of the same mistakes.  Orgs which have parallel tracks for technical and managerial advancement are a very good sign.  No seriously, read the Mythical Man-Month.  Pay attention to the interactions you observe while interviewing.  The interview really is about you checking out the company as much as them checking you out.
4. build yourself up.  Try things which stretch your abilities and comfort zone.   Figure out how to survive within whatever organization you’re in – it won’t be easy.  Pay your dues, whatever they are.  Expect to not be doing as much strictly security work as you want.  Expect to do sysadminning and lots of log-related stuff.  I think the idea of having a degree in security is too young to get you out of this entirely, but it will help.
5. try different things.  Big companies, small companies, non-profits, public service.  The latter two will likely make you crazy; if they don’t, you’re very lucky.  Be a generalist, and learn a bit of everything.  But make sure you stay a year.  It looks bad otherwise.

Some conference-related advice, from someone who’s lost count of how many I’ve attended:

1. go.  They are the most efficient way to network, bar none.
2. if you can’t go, download and watch talks.  The hackermedia archive is the first place to look: http://tinyurl.com/hackarchive.  Con websites will also frequently post talks soon after the con, and many cons stream content live as well.
3. talk to the speakers, but find a way to bring value to the conversation, and don’t be a fanboy/girl.  They want to hear how it relates to what you’ve been studying – that’s a good way to start the conversation.
4. bringing value to the conversation is the general rule.  Have a cool project you’re working on for fun, or some interesting coursework you can talk about.  Go out of your way to be nice to people.  Bring business cards, and write key things on them before you hand them out, and on any cards you receive from others.  I love my moo cards, even if they are a geek cliché.  Put your GPG key on them.  Follow up on contacts.  Don’t be forgettable, but don’t be remembered for being a jerk.  And, uh, party wisely lest embarrassing photos of you end up on Flickr 🙂
5. present at them!  The bar is lower than you think.  I’ve seen some really crappy talk at conferences.  You can do better.  Presenting well will grant you amazing opportunities and exposure.  Do manage the press aggressively, and be careful what sound-bites you offer up in interviews.  Reporters aren’t your friends, unfortunately.

I spoke a bit about Defcon, NOTACON, and SecTor.  There’s also a great calendar of all sorts of hacker / security events here.

None of these are hard rules, just things I’ve found to work, learned the hard way by doing the opposite, or been told by people whose advice I value.  I hope you find them useful.

-Leigh