The #1 thing I'd recommend to people going into InfoSec is a contant drive to learn things. For the HN crowd this is a given, for the non-HN crowd many people like to become experts in things and then be able to use that same expertise for years.
In InfoSec regulations are constantly being changed or updated if you're an auditor. If you focus on application security from a code perspective you'll constantly be learning new languages and frameworks. If you focus on network security new attack vectors will constantly appear and need to be mitigated based on new services, protocols, etc.
For the non-auditor roles you'll also really need to enjoy puzzles or figuring out the solution to a problem given a non-obvious set of complete information (think multi-variable calculus, you can figure out what X is but not without a lot of work).
I spent most of the past decade in the space. It is fun but it can be frustrating for the technology purist. Business isn't always interested in doing what is the "best security" -- they'll want to do a mix of compliance (which is the practice of security controls to meet regulations a business has to follow -- these may add no "real security" at all when implemented) and then enough security to minimize the risk; not often enough to really eliminate it.
Apart from the totally out-of-whack industry percentages (I think it's closer to 60% "other", the more I think about it), I think this is a really clearheaded and insightful post, which is unsurprising given that Dan Guido is hip deep in this industry.
For what it's worth, I found DDZ's Amazon list from this post and was motivated to write my own, which you can see at: http://amzn.to/cthr46
That reading list is a tall order, but still, a watered-down version of the "blackhat" curriculum.
Here is 'infosec' in a nutshell: love computers to death and become as good a developer and mathematician as the upper-division hackers working on core systems software, then give it all up to become a glorified human debugger, co-writing "papers" with bureaucrats and opportunistic, washedup, fear-mongering have-beens.
The training and experience required is just not commensurate with the glory that can be had elsewhere. Either in developing software, OR taking the other side of the infosec game ..
I used to work in government. It seems like everyone got degrees that made them qualified to run around chasing people about passwords. IDA Pro? Buffer overflow? Out of the question. They collected a paycheck and that was it. Infuriating.
The people who could use IDA Pro and write buffer overflows weren't the people who cared about other people's passwords.
They ARE there, but they're not out in the open by any means.
Edit: maybe more poignantly, those people you reference are 'Information Assurance' or 'IA' professionals (mostly with titles that reflect this, such as IAM or IAO.
IA is part of the CND section of CNO - the 'fun' stuff is in CNE/CNA.
I know there are more than several of us on Hacker News, who work in the field of information security and many ask who ask how we got started. Dan Guido created this guide for recent college graduates looking to break into information security as a career path. Before, Dan put together a class on penetration testing and vulnerability research, where some of the world's top leading researchers are guest lecturers.
Another way to get in (if you are attending a University) is getting a job as an assistant to an infosec professor. Depending on the school and the interest this might be the easiest way.
This is what I'm doing starting August and it is a lot easier then getting into the industry, since they are even worse in their prerequisites than the rest of the IT industry, at least in Switzerland (I saw one that said "20 to 22 years old, CISSC and 5 years of industry experience").
If you're at University, a far better way is to take an intership for a company that does security. We've had nothing but amazing luck with our interns. They're paid positions and they connect you directly to people who will be hiring when you get out of school. We're a consultancy, so in addition to hiring directly, we're also doing all of our clients a huge favor any time we can place someone for them.
Long story short: I might not waste my time with professors. Get out of the building and into the real world!
Why is that? Virtually everyone in the entire industry is contributing to OWASP. Aspect doesn't own it. I'm pretty sure the reason Matasano is on the list is that Matasano's Stephen Ridley works with Dan on the class. Maybe Aspect just doesn't contribute to his class.
Since you go to NWU, you're in Chicago. You should come to Chicago OWASP. Matasano's Mike Tracy coordinates it.
(Backstory for the rest of you: Aspect "sponsors" OWASP in some manner --- I'm not clear on how --- and drama like this is why CitySec has a no sponsors rule.)
I don't know anyone from Aspect and they haven't contributed to the class in any way.
I'm well aware of OWASP contributions to web security, I'm actually a board member for the NY/NJ chapter (http://www.owasp.org/index.php/NYNJMetro). If I had a good reason to cite them in this instance, then I would.
[+] [-] bretpiatt|15 years ago|reply
In InfoSec regulations are constantly being changed or updated if you're an auditor. If you focus on application security from a code perspective you'll constantly be learning new languages and frameworks. If you focus on network security new attack vectors will constantly appear and need to be mitigated based on new services, protocols, etc.
For the non-auditor roles you'll also really need to enjoy puzzles or figuring out the solution to a problem given a non-obvious set of complete information (think multi-variable calculus, you can figure out what X is but not without a lot of work).
I spent most of the past decade in the space. It is fun but it can be frustrating for the technology purist. Business isn't always interested in doing what is the "best security" -- they'll want to do a mix of compliance (which is the practice of security controls to meet regulations a business has to follow -- these may add no "real security" at all when implemented) and then enough security to minimize the risk; not often enough to really eliminate it.
[+] [-] tptacek|15 years ago|reply
[+] [-] tptacek|15 years ago|reply
For what it's worth, I found DDZ's Amazon list from this post and was motivated to write my own, which you can see at: http://amzn.to/cthr46
[+] [-] mahmud|15 years ago|reply
Here is 'infosec' in a nutshell: love computers to death and become as good a developer and mathematician as the upper-division hackers working on core systems software, then give it all up to become a glorified human debugger, co-writing "papers" with bureaucrats and opportunistic, washedup, fear-mongering have-beens.
The training and experience required is just not commensurate with the glory that can be had elsewhere. Either in developing software, OR taking the other side of the infosec game ..
[+] [-] dguido|15 years ago|reply
[+] [-] sown|15 years ago|reply
I used to work in government. It seems like everyone got degrees that made them qualified to run around chasing people about passwords. IDA Pro? Buffer overflow? Out of the question. They collected a paycheck and that was it. Infuriating.
[+] [-] count|15 years ago|reply
Edit: maybe more poignantly, those people you reference are 'Information Assurance' or 'IA' professionals (mostly with titles that reflect this, such as IAM or IAO.
IA is part of the CND section of CNO - the 'fun' stuff is in CNE/CNA.
For more: http://en.wikipedia.org/wiki/Computer_network_operations
[+] [-] marcinw|15 years ago|reply
[+] [-] dguido|15 years ago|reply
There was also some discussion of this article on Reddit too. Readers might want to check out some of the comments there: http://www.reddit.com/r/netsec/comments/cc4ye/information_se...
[+] [-] zumda|15 years ago|reply
This is what I'm doing starting August and it is a lot easier then getting into the industry, since they are even worse in their prerequisites than the rest of the IT industry, at least in Switzerland (I saw one that said "20 to 22 years old, CISSC and 5 years of industry experience").
[+] [-] tptacek|15 years ago|reply
Long story short: I might not waste my time with professors. Get out of the building and into the real world!
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] Locke1689|15 years ago|reply
[+] [-] tptacek|15 years ago|reply
Since you go to NWU, you're in Chicago. You should come to Chicago OWASP. Matasano's Mike Tracy coordinates it.
(Backstory for the rest of you: Aspect "sponsors" OWASP in some manner --- I'm not clear on how --- and drama like this is why CitySec has a no sponsors rule.)
[+] [-] dguido|15 years ago|reply
I don't know anyone from Aspect and they haven't contributed to the class in any way.
I'm well aware of OWASP contributions to web security, I'm actually a board member for the NY/NJ chapter (http://www.owasp.org/index.php/NYNJMetro). If I had a good reason to cite them in this instance, then I would.
[+] [-] dylanz|15 years ago|reply