Career in Information Security

A introduction to career options in information security domain along with other advices useful for people starting into information security.

This was first delivered @ c0c0n 2023 career village

AI Generated Summary

AI Generated Content Disclaimer

Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.

This presentation, delivered at c0c0n 2023, provides comprehensive career guidance for individuals interested in entering or growing within the information security field. Anant Shrivastava covers the distinction between infosec and hacking, maps the breadth of security domains and roles, offers practical advice on skill development, certifications, resume building, online presence, and navigates the choices between startups versus corporates, employment versus entrepreneurship, and managing finances in a high-paying but volatile industry.

Key Topics Covered

Infosec Is Not Hacking:

Information security is a professional discipline focused on securing enterprises and businesses — keeping bad actors out, letting trusted users in, and enforcing authorized access
Hacking is about exploring systems and finding the unknown — it is a passion, not a profession
Conflating the two leads to misaligned career expectations and hiring mismatches

Domains of Information Security:

Eight core domains aligned with CISSP framework: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management (IAM), Security Assessment and Testing, Security Operations, and Software Development Security
The cybersecurity map reference illustrating the vast landscape of specializations within these domains

Role Types — Offensive and Defensive:

Offensive roles: Penetration Tester, Red Teamer, Exploit Developer, Malware Analyst, Vulnerability Assessment Analyst
Defensive roles: Secure Developer, Product Security Engineer, Blue/Purple Teamer, Incident Response Team, Server Administrator, DevOps/DevSecOps professionals, Forensic Investigator, Auditor, Technical Writer
The field offers far more defensive positions than offensive, yet offensive roles receive disproportionate attention

How to Gain Knowledge:

Five-stage approach: upskill yourself using resources, read what others are doing, follow knowledge-sharing practitioners, participate in communities and events, and practice consistently
Practice framework: set up your own lab environment, write about what you learn, talk about what you learn, and present about what you learn

Communities and Events (India-specific):

Communities: Null Community (null.community), OWASP chapters
Paid conferences: c0c0n, Nullcon
Regional events: BSides chapters, DEFCON groups

Upskilling Priorities:

The IT world is moving toward “as a code” paradigms — programming is a necessary skill
Key areas: Automation (Ansible, Terraform), Programming (Go, Rust), Scripting (Python, Bash)
Earlier acceptance of programming as essential leads to better career outcomes

Higher Studies vs. Experience:

Academia: focuses on getting basics right (Bachelors/Masters) and thinking far ahead of commercial needs (PhD)
Commercial world: provides implementational exposure and practical skills
Align your choice with whether you want to explore the future (academia) or implement solutions now (industry)

Certifications — A Pragmatic View:

Certifications prove you could solve a specific set of problems at a specific point in time
They serve as checkboxes — humans naturally find the shortest path to pass
Two valid reasons: clearing HR screening filters and accelerated learning when company-sponsored
Certifications alone do not define competence

Resume Tips:

General: use simple words, be concise (1 page for 0–2 years, 2 pages for 2–10 years, 3+ only for executives), reduce past experiences to 1–2 liners, emphasize impact over job activities
Your resume drives the interview — include only items you want to discuss and that demonstrate specific capabilities
Items to avoid: club memberships, attendance/participation entries (speaker roles are fine), photographs, certificate logos, fancy graphics, and irrelevant hobby achievements

Online Presence:

Curate your online presence proactively or social platforms will curate it for you
Associate your professional identity with your own domain, not Gmail or Outlook
Minimum setup: build your own website, host a blog (write about whatever you learn), and host your resume on it

Startups vs. Corporates:

Startups: chaos, unorganized, fast-moving, more individual power — essentially PoC builders for the corporate world
Corporates: processes, organization, brand value, stability
Startups offset uncertainty (closure, buyout, acquisition) with high compensation — this is golden handcuffs, not your true market value
Neither is inherently better; decide based on understanding the differences

Entrepreneurship vs. Employment:

Entrepreneurship is 5–10% tech and the rest is finance, HR, marketing, sales, customer interaction, and everything else including janitorial duties
Employment provides fixed targets, someone else to blame when things go wrong, and paycheck assurance
Anyone claiming you can avoid the non-tech aspects of entrepreneurship is misleading you

Financial Planning:

IT security is among the highest-paying fields in India, but this should not be taken for granted
Prepare a financial plan: know your expenses, understand runway money and financial independence
Recommended reading: “Let’s Talk Money” by Monika Halan and “The Psychology of Money” by Morgan Housel

Practice Resources:

Platforms: VulnHub, PwnedLabs, Hack The Box, TryHackMe, hacker.org, SadServers (defensive), Google Summer of Code (long-term paid projects)
Free resources: GitHub Student Pack, Packt free daily ebook, free-for.dev developer resources

Actionable Takeaways

Understand the breadth of information security beyond pentesting — explore the eight CISSP domains and defensive roles to find the best fit for your skills and interests.
Invest in programming skills early (Python, Go, Bash, Ansible, Terraform) — the industry is moving decisively toward “as a code” paradigms, and scripting/automation capability is becoming non-negotiable.
Build your practice framework: set up a home lab, document your learning through writing, and progress to presenting your knowledge — each stage deepens understanding and builds professional visibility.
Approach certifications pragmatically — use them to clear HR filters and for structured learning, but do not treat them as the primary measure of your competence.
Craft your resume to highlight impact over activities, keep it concise for your experience level, and include only items you are prepared to discuss in depth during interviews.
Establish an independent online presence with your own domain, blog, and hosted resume — do not let social media platforms define your professional identity.
Make career structure decisions (startup vs. corporate, employment vs. entrepreneurship) based on an honest assessment of the trade-offs, and develop a financial plan that accounts for the volatility in compensation across different career paths.

Career in Information Security

c0c0n 2023

06 October 2023