Main Nav

Advice from Lance Spitzner on Information Security Careers

I often get requests asking how to get started in information security. I can't blame people, it is an extremely exciting field. What I like most about it is that everything is so new; often there are no rules on how to do things. You make the rules up as you go along, almost like blazing a path in the wild jungle just as the explorers did hundreds of years ago.

Here are some suggestions on how to get started based on my experience. I feel these work regardless if you are an existing IT person or coming from a different field. Personally, my background was a History major that spent four years in the Army driving around in tanks, so if you have the passion anyone can get started in this field.

  1. First, remember that information security is a very broad field with many different areas you can get involved in, such as network security, application security, system security, database security, human security, penetration testing, forensics, or even higher level policy issues. Start exploring and researching the different areas and see what interests you the most. Passion is key here, if you are not passionate about an area you will not be good in it. Also, the information security field has quickly grown very large, at some point you have to start focusing and specializing.
  2. The best way I have found to get good at security is learning how things work. Beginners often want to jump in and start breaking things. Professionals know that you need the foundation of how things work. Once you learn how things work, that foundation combined with a healthy dose of curiosity and initiative will teach you how to break things. If network security interests you, learn everything you can about how networks and packets work. Tools like Wireshark should be your friend. If application security interests you learn everything you can about coding. If system or database security interests you, learn everything you can about how those systems work. Setup your own lab and play with the technologies in your field (Amazon cloud anyone), read books and follow the blogs on leading experts in those areas. Think like a 3 year old, become a sponge and absorb everything you can.
  3. Once you have the foundation start reaching out to the community. Join maillists or forums that specialize in your area such as the Honeynet Project or attend conferences and talks that interest you such as the SANS Institute. In addition, volunteer your time and effort. For example if there are any key tools in your field, offer to help coding patches, writing documentation or testing the tools and providing feedback. As you learn more start publishing whitepapers or tools that can help others, perhaps help with and even present at security conferences. My experience has been the more you contribute to the community, the more you get back.
  4. Once you start becoming involved, you have to be very active to stay current. What you know now has a half life of about 18 months. Technology and threats change at a mind-blowing pace in this field. Be prepared to be watching and learning on a daily basis. You will never know it all.


BIO: Lance Spitzner is the training director for SANS Securing The Human program. To learn more about security awareness and access free security awareness resources visit

Tags from the EDUCAUSE Library

Tags from the Community