What does it take to succeed as an information security professional? There are many paths to a successful infosec career, many top jobs in the industry
, and many different types of people can excel in the field.
Indeed, diversity is fundamental to good security. To be effective, security requires contributions from people of different backgrounds and personalities with various interests and skills.
But is there one thing they all share? Is there one personal characteristic that should be considered a requirement for entering the security field?
Over the course of my career, I've had the pleasure of working with many excellent security professionals, and to my mind, there's one important thing they've had in common: they all possess (or perhaps are possessed by?) the security mindset.
The security mindset
is a peculiar mix of curiosity and paranoia that turns life into a perpetual game of asking "what if" questions, such as the following:
- "What if my phone gets stolen?"
- "What if I try my key in a different lock?"
- "What if someone types too much text into our online registration form?"
So, how can you find out if you possess this coveted "security mindset"? Consider the following scenarios that typify the mindset:
- When you encounter a Web form that asks you to enter a number between "1" and "100", you wonder what would happen if you enter things like "101", "-1", or "`);".
- You've researched how a garage door opener remote works because you were curious if others could open your garage door without permission.
- When logging into your computer, you've deliberately mistyped your username or password just to see what happens.
If any of those (or similar) examples apply to you, then a career in information security might be a good fit.
Now that you've identified the security mindset within yourself (or adopted it), it's time to build upon it – it's not enough to simply ask an endless stream of "what ifs". That sort of hypervigilence is unhealthy.
The real art of security is balance. It's knowing precisely when to stop asking such questions. Ask too many "what ifs", and your security ends up costing too much. Ask too few, and you'll leave critical risks unconsidered and wind up an easy target.
To complicate matters, the appropriate number of "what ifs" changes depending on the circumstances. For example, protecting national security secrets warrants a more thorough and rigorous investigation of possible calamities than does protecting grandma's banana pudding recipe.
The ability to negotiate such trade-offs while keeping your sanity intact is a lifelong pursuit that improves by degrees through successes and failures. While it only takes a few hours to become familiar with the basics of information security, it takes a lifetime of dedication to learn it.
If you're ready to embark on that journey, I'm happy to recommend a few good starting points.
If you're a book person:
Check out Secrets and Lies – Digital Security in a Networked World by Bruce Schneier. It was written in 2000, so some of the material is a bit dated, but it still serves as an excellent and accessible introduction to the field of information security.
If you enjoy online courses:
Give The Open University's "Introduction to Cyber Security" a look.
If you're more of a social learner:
Browse through Reddit's "netsecstudents" subreddit.
Title image courtesy of ShutterStock