This article addresses multiple topics which have been covered before by others and is based on my opinion so feel free to disagree. I am often asked about these topics and have myself made some unfair comments towards some of them. When discussing these topics I speak to an individual who cares about seeking in depth knowledge of Infosec topics while continuing to challenge themselves frequently.
Do you need school or certifications to get into Infosec?
It’s a great question and I would say it’s a personal and career choice. The clear answer is no you do not need a degree or certifications to get into Infosec. Some people like self study and are not inclined towards school. This represents my personal standpoint. I have however gotten some harsh feedback when I plain bash going the school route. It is true there are a lot of skills you can learn from seeking a formal education and certifications. This can also help you get your foot in the door for interviews.
I have also faced companies who bluntly told me I would never make more than a certain amount because I didn’t have a degree. This point of view is completely incorrect but also warrants some deeper analysis. Yes you could be blocked from a number of opportunities in life because of not having the education level or certifications they request. You could be the best candidate on all fronts and still be viewed as a lower life form simply because you didn’t choose the formal education path. The problem exists on the other side of the spectrum where some people just learn how to do the school and certification thing really well but lack even the basic skills necessary to do the job.
Does using tools make you less skilled?
The answer is no with a small caveat. Using the right tools to get the job done is never a bad thing. It’s when you have little understanding of the inner workings of the tools that it becomes a problem. This leaves you unable to make even small modifications when necessary. It also causes an inability to write your own tools when the situation arises.
Using certain tools, frameworks, and distros are viewed by some as taking the easy way out. I would say I could give a person with no construction skills all the necessary tools to build a house and the chance of them doing it right is extremely low. I agree some tools have lowered the barrier to entry for less skilled individuals to perform certain tasks. I personally use the tools necessary to get the job done in a timely manner. One should however always be able to perform the same task without them.
What do you mean by fools?
As Infosec has become a very popular career choice I have seen some completely foolish ideas, thoughts, and perspectives. The first fool thinks they are going to be proficient by lightly dabbling in security here and there. Choosing Infosec as a career requires heavy immersion in the topic, passion, and dedication. If you don’t dedicate the time necessary to gain depth and get hands on experience then no amount of talking is going to stop a decently skilled interviewer from seeing through your bullshit.
The second thing I will mention are people that get about 1 inch deep on a few topics and believe they have enough knowledge to start passing their opinion off as fact. These people gain a fundamental understanding of just the concepts and they believe they are proficient at a topic. A complete lack of actual hands on experience doesn’t bother them at all. I am a huge advocate of growth through hands on experience because it gives you a much deeper understanding. I simply can’t understand why exchanging regurgitated facts keeps some people so satisfied.
I will end this article with a simple note to employers. I keep hearing about this shortage of people qualified to fill Infosec roles. I also notice that most companies are only hiring for senior positions. We need to start investing in the next generation of Infosec professionals. As somebody who was recently hired with no formal resume experience based solely on passion and self taught skills I can say the people who can fill these roles are out there. You simply need to look at passion instead of degrees and certifications as well as ability to challenge oneself on a daily basis. I also implore you to put people up against hands on challenges to qualify for employment. Many penetration testing firms already employ this tactic and it can quickly weed out candidates that are full of shit and lack actual hands on skills.