Hey internet friend. As always I want to start by writing that Black Lives Matter! I am going to be on a podcast soon and I am going to be referencing this article. It was written about a year into my offensive security journey and was originally called, "Infosec Comapnies - Why your next hire should hold a liberal arts degree." Post May 16, 2018, it was a very popular article on the now-defunct website. I added a brief update paragraph to begin, and there were a few minor edits to clean things up, but the article is pretty close to how it originally appeared. I hope you enjoy!
Note: I did my best to leave this article unedited and just fixing some formatting issues. Hopefully this is as close to the way it was published on May 16, 2018. That means when I write, “last week” it felt clunky to go back and changed it to “during the week before May 16, 2018.” I do want to add, after having the benefit of spending the last roughly five years working in the industry, that I think the ISC2 certifications are not valuable enough to pursue, and while I agree that penetration testing is not an entry-level job, I disagree with my assertion in the article that there are no entry-level information security jobs. This may be controversial, and I am sure people will disagree, but I believe you could start working in a SOC or doing IAM work with on-the-job training and could later transition to other information security roles. While it is possible to train someone with just a liberal arts degree, I think it would be very helpful for that person to spend time getting hands-on with either programming, networking, working at a help desk, or working in a SOC before starting to work as a penetration tester. Helpful and required are not the same thing, and I do believe it is possible to train someone who would be affectionally referred to as a power user to conduct penetration tests. If you want to be a well-rounded penetration tester, having experience in one of those four areas will give you context to understanding the larger environment. Nothing happens in a vacuum, and having knowledge and experience in these areas will give you insight to discover vulnerabilities you would likely otherwise miss.
Greetings!
In this post, I want to talk about finding a job in information security first by discussing some of the issues around hiring in this field and conclude by providing some reasons why looking outside of strict technical requirements can yield tremendous benefits. Last week, I started writing an article about unsubscribing from the /r/asknetsec subreddit because I was so tired of the frequently ask question, “I have no experience in infosec, how do I break in?” That post ended up devolving into me discussing my background in IT and how it took me nearly five years to break into infosec, but that got boring quickly. Then I saw that infosec Twitter has been buzzing about the problem of the hiring gap and, since I am currently looking for work, it seemed like a great time to write this article instead.
If you haven’t read my other posts or know about my background, let me just bring you up to speed with this quick paragraph. I worked my way up from the help desk to a network administrator over four years. But I got burned out, took five years off to earn undergraduate degrees in History and Philosophy and a MA in History. In May of last year my wife and I started an infosec consultancy but, owing to a non-compete from my first security job, we are extremely limited in taking on new clientele and so I started looking for my next industry career opportunity.
While there is often a discussion about a skills shortage and a need to hire workers, there is also a problem with professionals lacking interpersonal communication skills and the ability to interact effectively with non-technical users. It is in this capacity that academic training in the liberal arts can be uniquely helpful. Transferable skills like the abilities to effectively research, communicate, and explain complicated concepts can, with on-the-job training, make liberal arts degree holders valuable resources on any team. Although there is often a technical skills gap owing to non-technical research requirements, formal historical training could have tremendous benefits to information security professionals. With an emphasis on writing in most liberal arts programs, these potential new hires can help generate documentation to aid in the training of future employees as well. Moreover, really well-written training material can provide added benefit to the employer, should they decide to sell this material to other companies or perhaps even open source it. Finally, old exploits have ways of sticking around long after they should have been patched, and even new exploits are often built upon old computer science concepts.
One problem that has been noted by a few people is the definition of entry-level. In many current job postings for junior or entry-level penetration testers, a year or more of experience is listed as a requirement. If companies were willing to invest in training a new hire they could get a candidate up to speed much faster using their work flow, rather than having to re-train a more experienced tester. There are some opportunities for one to find that experience on their own, through bug bounties or starting a consultancy, but even then, it is difficult to get through the door with only a year of experience. This leads to a second issue, what I’ve seen others refer to as a “soft-skills gap.”
I don’t want to paint with too broad a brush, but it has been my experience that those with more refined technical skills often struggle the most interacting with non-technical people. While penetration testers are paid to attack networks, finding a tactful way to tell the client how you thrashed their network can be very difficult. It can also be hard to explain how you were able to leverage a highly complicated exploit in order to gain a shell on their server using language the person on the other side of the table can actually understand. This is another avenue where having a liberal arts major, trained in information security, would be handy. During their college years, these individuals courses of study almost require the development of soft-skills and the ability to communicate effectively, unlike most STEM programs which do not have nearly the same requirements.
At this point, I can almost feel the objections that some of you reading this right now are having. Perhaps you are thinking, “there is too much to learn to go from zero training to penetration testing” and I agree. However, penetration testing is not an entry-level position. Even an entry-level penetration tester needs to have a few years experience working in IT before moving on to infosec. You could start a liberal arts major in the help desk and let them work their way up. After a year at the help desk, a move to systems or network administration will help further develop the skills necessary to be a successful penetration tester. Even if they do not use it at work, making the switch to using Linux full-time outside of work can make a tremendous difference as well. I switched for ethical reasons about a decade ago, and it has been very beneficial in my information security career. For the professional-in-training, after a few years of using Linux full-time and getting experience administering servers or networks, the liberal arts graduate will be ready to transition to a role in information security.
Personally, it took me roughly two months to own my first boot2root. Within six months I had popped a shell on a client engagement. Before the end of my first full year in information security, during the PWK labs, I was able to root thirteen boxes during my two months in the lab. Nearly all of this was self-directed, with only a few nudges along the way. With a mentor, I highly believe a liberal arts major with a few years IT experience could quickly become a successful penetration tester.
There are also a number of resources for a person to train on their own. If they can afford it, there are certification courses to increase your skills and knowledge, from the eLearnSecurity Junior Penetration Tester (eJPT) to the Penetration Testing with Kali Linux course for the OSCP, to the highly-respected (but potentially cost-prohibitive) SANS courses. There are also certifications from the ISC2 as well, though often they end up being more HR filters than indicative of technical skills. All of that is to say that there are a number of ways to show potential employers that liberal arts majors can make excellent contributions to IS/IT (information security / information technology) despite lacking the formal academic training of STEM degree holders.
While I am not so unrealistic as to think that all tech hiring managers should ignore STEM degree holders and seek out individuals who have degrees in liberal arts, I hope that this essay has given them something to think about. While I was originally going to write that it may not be a great idea to only hire people with liberal arts degrees, I am firmly convinced that anyone – regardless of whether they hold a degree or not, can be trained over time to work in IS/IT. Attributes like critical thinking, research, and effective communication skills are just a few of the benefits of my liberal arts education, but anyone with enough passion and drive to learn can become highly skilled. My hope is that, if you are a hiring manager or a recruiter, that you would consider individuals who come from non-traditional backgrounds. Finally, liberal arts degree holders bring a passion and a drive to prove themselves that drive them to work tremendously hard.
One final note (since this wasn’t available when I wrote this essay), if you are interested in learning about web application hacking, there is an incredible free court from the company that makes Burp Suite called the Portswigger Academy, and you can check that content out for free here
Thanks for reading!