How to Get into Information Security

Dear BHIS,

So I’m a big fan of you guys’! I took John’s SANS504 OnDemand class and I saw the light. Now what? I want to get into security, (maybe because I want to torture myself) but how? How do I make the next step? How do I get into infosec? Also are you guys hiring?


Dear Tortured,

No, sorry, we’re not hiring right now, but let’s back up to the heart of your question.

Infosec is a fairly new field and we’re still all figuring things out as we go – it truly is the Wild West, full of possibility, danger, and craziness! But you’re on the right track, keep educating yourself. Degrees and certifications are good but there’s lots of education in this industry that’s free, and easily accessible.

If you’re super serious about wanting to get into information security, go find yourself a job as part of a Blue Team. Try a small shop where you might get to do a little more and have more voice. (1) It might seem like going backward to be doing IT for mom and pop shops, but this is where security is the most vulnerable and you’ll probably realize you know a lot more than you think. Nothing will help the rubber meet the road quite like having a place to try things out, and understand what needs to be fixed. If you’re at a larger place you might not get to be in a role where you make decisions. This will give you a lot of knowledge down the road. If you become a pen tester at some point in your career, having blue team experience will be invaluable to you (and your employer). This is probably a good place to learn to “networking” – the foundation of all communications, you can’t hack if you don’t understand TCP/IP/UDP and the fundamentals of switching, routing, ACLs, and sockets. When you learn to blue team, figure out how to break your own work, and then fix it again.

Here are some blogs and other resources we’ve also found helpful:
-John’s classic “Infosec Basics & Fundamentals”
Derek talks about some general ideas “Developing Hacking Kung Fu (or How To Get Into Information Security)”

Here’s a whole list of other starting in infosec blog posts:

If watching videos is more your style, our website has a wealth of webcasts and conference talks we’ve done. Watch them. And sign up for our webcasts.

Here’s the gist of what John says when we overhear him talk to people: “Learn to code in Python, use Linux somewhere, play with sed and awk.” 

There are BSides conferences everywhere! These are smaller, intimate places to hear and meet like minded infosec people. If you have time, volunteer. You will feel like a n00b, everyone does. After a few times attending, submit a talk, and then submit another talk.

You also might start a Twitter account and engage with it. Twitter is one of those things where it remains what you make it. If you’re building it expressly to learn more about infosec keep it focused, don’t rabbit hole down your other interests. Follow people in the security industry and pay attention to what’s going on, this is the best and cheapest way to build your own threat intelligence feed. (2) Find someone you like and look at their lists, that’s a great way to start to know who’s who and what’s happening in infosec. Check out Ethan Robish’s list.

We live in an age when people can actually be involved and be doing the things they say they want to do in their career. You want to be in infosec? Don’t wait for someone to hire you, or make your dreams come true for you – start building them yourself.

Keep us posted and good luck in all your future endeavors!

With Love,

Black Hills Information Security


(1) We saw this tweet as we were writing this response, couldn’t agree more! Thanks, @highmeh

(2) Yes! @0daySimpson