Docstoc

breaking_in_data

Document Sample
breaking_in_data Powered By Docstoc
					                                                                                If so, which would
                                                             Do you have to be you recommend?
                                                             able to program to   (No flame wars
  Timestamp         Time in security        Job type          be a pen-tester?         please)




                                       Log analyst,                               Bash Scripting,
2/20/2012 14:06:16 7+ years            IDS/Firewall admin    No, but it helps     Python, PHP




                                                             Think you can get
                                                             by without but to get Bash Scripting,
                                                             to a decent level it's Anything you are
2/20/2012 14:07:35 <1 year             Penetration tester    needed                 comfortable with

                                       Vulnerability auditor,
                                       Penetration tester,
                                       Policy writer, Log                         Bash Scripting,
                                       analyst, IDS/Firewall                      Windows
2/20/2012 14:08:27 4-7 years           admin                  Yes                 Powershell, Perl




2/20/2012 14:08:44 1-3 years           Software engineer     No, but it helps




                                                                                  Bash Scripting,
                                                                                  Windows
                                       Malware analyst,                           Powershell, Python,
2/20/2012 14:09:30 <1 year             Sys-admin             No, but it helps     C, Java
                               Penetration tester,
                               Policy writer,                          Bash Scripting,
                               Manager,                                Ruby, Python, C,
                               IDS/Firewall admin,                     PHP, C++, Batch
2/20/2012 14:10:08 7+ years    Sys-admin           No, but it helps    Scripting, C#




                                                                       Windows
                                                                       Powershell, Ruby,
2/20/2012 14:11:51 4-7 years   Penetration tester   No, but it helps   Python



2/20/2012 14:17:04 <1 year     student              Don't know         Python
                               Log analyst,
                               IDS/Firewall admin,                   Bash Scripting,
2/20/2012 14:18:44 1-3 years   Sys-admin           Yes               Ruby, Python, Lua




                                                                     Bash Scripting,
2/20/2012 14:22:41 1-3 years   Sys-admin          No, but it helps   Python, PHP, C++
                               Penetration tester,
                               Policy writer,                            Bash Scripting,
                               Manager, Reverse                          Windows
                               engineer, Exploit                         Powershell, Ruby,
                               developer, Malware                        Python, C, PHP,
2/20/2012 14:22:50 7+ years    analyst, Log analyst No, but it helps     Batch Scripting, Perl




2/20/2012 14:24:11 4-7 years   Penetration tester    Yes                 Ruby, Python, C




                               Vulnerability auditor,
                               Policy writer,                            Bash Scripting,
                               IDS/Firewall admin,                       Windows
2/20/2012 14:24:27 4-7 years   Sys-admin              No, but it helps   Powershell, Python
                               Vulnerability auditor,
                               Policy writer, Log
2/20/2012 14:27:35 1-3 years   analyst                Yes                PHP
                                                            Bash Scripting,
                               Vulnerability auditor,       Ruby, Python, C,
2/20/2012 14:27:51 4-7 years   Penetration tester     Yes   VB, Perl




                                                            Bash Scripting,
                                                            Windows
                                                            Powershell, Ruby,
2/20/2012 14:29:03 7+ years    Penetration tester    Yes    Python, C++, Lua
                                                                       Bash Scripting,
                                                                       Windows
                                                                       Powershell, Ruby,
                                                                       Python, C, PHP,
2/20/2012 14:31:21 7+ years    Penetration tester   No, but it helps   Batch Scripting



                                                                       Bash Scripting,
                               Vulnerability auditor,                  Ruby, Python, C,
                               Penetration tester,                     PHP, C++, Batch
2/20/2012 14:31:23 4-7 years   PCI auditor, student Yes                Scripting




                                                                       Bash Scripting,
2/20/2012 14:31:43 1-3 years   Penetration tester   Yes                Python, C, C++, C#
                                                                            Bash Scripting,
                               Policy writer,                               Windows
                               IDS/Firewall admin,                          Powershell, Ruby,
                               Sys-admin, Vuln                              C, PHP, Batch
2/20/2012 14:33:03 4-7 years   Management          Yes                      Scripting




                               Penetration tester,
                               Reverse engineer,     at least a scripting   Bash Scripting,
2/20/2012 14:33:32 1-3 years   Exploit developer     language               Ruby, Python
                               Vulnerability auditor,                    Bash Scripting,
                               Penetration tester,                       Windows
                               PCI auditor, Log                          Powershell, Python,
2/20/2012 14:36:45 4-7 years   analyst                No, but it helps   Batch Scripting



                               Vulnerability auditor,
                               Penetration tester,                       Python, C, PHP,
2/20/2012 14:40:17 4-7 years   Policy writer          No, but it helps   Java




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,                            Bash Scripting,
                               Manager,                                  Windows
                               IDS/Firewall admin,                       Powershell, Python,
2/20/2012 14:42:41 7+ years    Sys-admin              No, but it helps   C, Java, Lua, VB




                                                                         Bash Scripting,
                                                                         Windows
                               Penetration tester,                       Powershell, Batch
2/20/2012 14:45:22 4-7 years   Policy writer         No, but it helps    Scripting
                                                                      Bash Scripting,
                               Penetration tester,                    Windows
                               Malware analyst,                       Powershell, Ruby,
                               Log analyst,                           Python, Batch
                               IDS/Firewall admin,                    Scripting, Lua,
2/20/2012 14:45:51 4-7 years   Sys-admin           No, but it helps   javascript
                                                                 Bash Scripting,
                              Manager, Sys-                      Ruby, Python, PHP,
2/20/2012 14:46:34 7+ years   admin           No, but it helps   Batch Scripting, VB
                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer, Log
                              analyst, IDS/Firewall
                              admin, A security
                              generalist. As part                        Bash Scripting,
                              of a team of 2, I do                       Windows
                              all things security for                    Powershell, Ruby,
2/20/2012 14:46:35 7+ years   a large non-profit.     No, but it helps   Python




                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer,
                              Reverse engineer,                          Bash Scripting,
                              Exploit developer,                         Windows
                              Malware analyst,                           Powershell, Ruby,
                              Log analyst, Sys-                          Python, Batch
2/20/2012 14:48:14 7+ years   admin                  No, but it helps    Scripting, Lua
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Ruby, Batch
2/20/2012 14:48:39 7+ years    Malware analyst        Yes                Scripting




                               Policy writer,
                               incident response
2/20/2012 14:50:14 1-3 years   and forensics         Yes                 Python, C++




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Manager, PCI
2/20/2012 14:51:20 4-7 years   auditor                No, but it helps   Python, PHP, Perl
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Windows
                               Penetration tester,                       Powershell, Ruby,
2/20/2012 14:53:18 4-7 years   Exploit developer      No, but it helps   Python




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,                            Bash Scripting,
                               Manager, PCI                              Windows
                               auditor, IDS/Firewall                     Powershell, Ruby,
2/20/2012 14:58:15 7+ years    admin, Sys-admin Yes                      Python, PHP, Perl
                                                            Bash Scripting,
                                                            Python, PHP, Java,
2/20/2012 14:59:41 <1 year   Sys-admin   No, but it helps   Batch Scripting
                              Penetration tester,
                              Malware analyst,                       Bash Scripting,
                              Log analyst,                           Windows
                              IDS/Firewall admin,                    Powershell, Ruby,
                              Sys-admin, Incident                    Python, Batch
2/20/2012 15:01:36 7+ years   Response/Forensics No, but it helps    Scripting

                              Vulnerability auditor,
                              Penetration tester,
                              Exploit developer,                     Bash Scripting,
                              IDS/Firewall admin,                    Python, C, C++,
2/20/2012 15:02:53 7+ years   Sys-admin              Yes             Java




                                                                     Bash Scripting,
                              Malware analyst,                       Windows
                              Sys-admin, Forensic                    Powershell, Python,
2/20/2012 15:03:22 7+ years   Analyst             No, but it helps   C, Batch Scripting
                               Vulnerability auditor,
                               Log analyst,                              Bash Scripting,
                               IDS/Firewall admin,                       Windows
                               Sys-admin, Social scripting at a bare     Powershell, Python,
2/20/2012 15:04:55 7+ years    Engineer               minimum            Batch Scripting




                                                                         Bash Scripting,
                               IDS/Firewall admin,                       Ruby, Python, Batch
2/20/2012 15:06:41 1-3 years   Sys-admin           No, but it helps      Scripting




                                                                         Bash Scripting,
                               Vulnerability auditor,                    Windows
                               Penetration tester,                       Powershell, Python,
2/20/2012 15:06:42 4-7 years   Sys-admin              No, but it helps   PHP
                                                                        Bash Scripting,
                                                                        Windows
                                                                        Powershell, Ruby,
                                                                        Python, C, PHP,
                                                                        C++, Java, Batch
                                                                        Scripting, Lua, VB,
2/20/2012 15:07:22 7+ years    NINJA                 Yes                C#




                               Penetration tester,
                               Reverse engineer,                        Bash Scripting,
2/20/2012 15:08:03 4-7 years   Sys-admin             No, but it helps   PHP, C++, VB




                               Vulnerability auditor,                   Bash Scripting,
                               Policy writer,                           Windows
                               Manager, Log                             Powershell, Python,
                               analyst, IDS/Firewall                    C, PHP, Batch
2/20/2012 15:09:56 7+ years    admin, Architect       Yes               Scripting




                                                                        Bash Scripting,
                                                                        Windows
                               Penetration tester,                      Powershell, Python,
2/20/2012 15:10:15 4-7 years   Policy writer         No, but it helps   PHP
2/20/2012 15:11:37 4-7 years   Penetration tester    No, but it helps   Bash Scripting


                                                                        Bash Scripting,
                                                                        Windows
                                                                        Powershell, Ruby,
2/20/2012 15:13:35 1-3 years   IT Security Officer   Yes                Python




                                                                        Bash Scripting,
                               Policy writer,                           Python, Batch
2/20/2012 15:13:52 1-3 years   Architect             Yes                Scripting, VBS
                               Vulnerability auditor,
                               Penetration tester,
                               IDS/Firewall admin,
2/20/2012 15:23:37 1-3 years   Sys-admin              No, but it helps   Ruby, Python




                               Penetration tester,
                               Exploit developer,                        Bash Scripting,
2/20/2012 15:24:55 7+ years    Trainer               No, but it helps    Python




                                                                         Bash Scripting,
                                                                         Ruby, Python, PHP,
2/20/2012 15:25:26 1-3 years   Penetration tester    No, but it helps    Batch Scripting
                                                                        Python, C, PHP,
                                                                        Java, Batch
2/20/2012 15:34:42 4-7 years   Student               No, but it helps   Scripting

                               Vulnerability auditor,
                               Penetration tester,
                               Exploit developer,
                               Log analyst, Sys-                        Bash Scripting,
2/20/2012 15:36:22 4-7 years   admin                  Yes               Python, C
                              Cybersecurity
                              communications/em                        No opinion, not a
2/20/2012 15:38:34 7+ years   ployee awareness No, but it helps        programmer

                              Vulnerability auditor,
                              Penetration tester,
                              Reverse engineer,
                              Malware analyst,
                              IDS/Firewall admin,                      Bash Scripting,
2/20/2012 15:39:08 7+ years   Sys-admin              Yes               Python, C, PHP




                              Penetration tester,
                              Policy writer,                           Bash Scripting,
2/20/2012 15:40:24 7+ years   Manager               Yes                Python, C
                              Reverse engineer,
                              Exploit developer,                       Bash Scripting,
2/20/2012 15:41:49 7+ years   Malware analyst       No, but it helps   Python, C

                              Penetration tester,
                              Reverse engineer,                        Bash Scripting,
                              Malware analyst,                         Python, C, PHP,
2/20/2012 15:42:05 7+ years   Sys-admin             Yes                C++
                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, Ruby,
                                                                         Python, C,
2/20/2012 15:42:39 1-3 years   Sys-admin             No, but it helps    Assembly




                               Vulnerability auditor,
                               Penetration tester,
                               Log analyst,
                               IDS/Firewall admin,                       Bash Scripting,
2/20/2012 15:45:31 7+ years    Sys-admin              No, but it helps   Python




                               Policy writer, Log                        Bash Scripting,
                               analyst, IDS/Firewall                     Python, C++, Batch
2/20/2012 15:47:20 4-7 years   admin, Sys-admin No, but it helps         Scripting, C#




                               Reverse engineer,
                               Malware analyst,
                               Log analyst,
                               IDS/Firewall admin,                       Bash Scripting,
2/20/2012 15:51:19 4-7 years   Sys-admin           No, but it helps      Ruby, Python
                               Policy writer,
                               Malware analyst,
                               Log analyst,
                               IDS/Firewall admin,                           Bash Scripting,
2/20/2012 15:54:38 1-3 years   Sys-admin           No, but it helps          Python




                               Log analyst,                                  Bash Scripting,
                               IDS/Firewall admin,                           Windows
                               Sys-admin,                                    Powershell, Ruby,
2/20/2012 16:00:14 7+ years    Developer           No, but it helps          Python, C, ASM




                                                                             Bash Scripting, C,
                                                                             PHP, Java, C#,
                               Vulnerability auditor,                        Those are the ones
                               Penetration tester,                           clients want, I think
                               Reverse engineer, I know some that            the key point is to
                               Exploit developer,     don't but it's a big   have language
2/20/2012 16:02:43 7+ years    Researcher             glass ceiling          agility
                              Vulnerability auditor,
                              Penetration tester,
                              Malware analyst,
                              IDS/Firewall admin,                 Bash Scripting,
2/20/2012 16:04:08 <1 year    Sys-admin              Don't know   Python, PHP, Java

                                                                  Bash Scripting, C,
                                                                  PHP, C++, Java,
                              Vulnerability auditor,              Batch Scripting, C#,
                              Penetration tester,                 RPG, COBOL, TAL,
2/20/2012 16:04:46 7+ years   Malware analyst        Yes          FinacleScript
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Python, C, Java,
2/20/2012 16:06:29 1-3 years   Penetration tester     No, but it helps   LISP




                                                                         Bash Scripting,
                                                                         Windows
                               Malware analyst,                          Powershell, Ruby,
                               Log analyst,                              Python, C, PHP,
                               IDS/Firewall admin,                       C++, Java, Batch
2/20/2012 16:12:08 7+ years    Sys-admin           No, but it helps      Scripting, C#, Perl




                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, Ruby,
                               Policy writer, Log                        Python, PHP, Batch
2/20/2012 16:12:58 4-7 years   analyst, Sys-admin    No, but it helps    Scripting
                                                      It depends. App
                                                      pentest, I would say
                                                      yes. Network
                                                      pentest, it helps. I
                                                      think you can HELP
                                                      pentest without all
                                                      the rest, but
                                                      eventually you need    Bash Scripting,
                               Vulnerability auditor, to script to data      Windows
                               Penetration tester, parse if nothing          Powershell, Ruby,
2/20/2012 16:13:00 7+ years    Exploit developer      else.                  Python




                               Vulnerability auditor,
                               Log analyst,
                               IDS/Firewall admin,                           PHP, Batch
2/20/2012 16:13:03 4-7 years   Sys-admin              Yes                    Scripting, Perl




                                                                             Bash Scripting,
                                                                             Windows
                               Vulnerability auditor,                        Powershell, Ruby,
                               Reverse engineer,                             Python, C, PHP,
                               Malware analyst,                              C++, Java, Batch
                               Log analyst,                                  Scripting, Lua, VB,
2/20/2012 16:13:44 7+ years    IDS/Firewall admin No, but it helps           C#, Everything
2/20/2012 16:15:11 <1 year   Sys-admin   No, but it helps   Ruby, Python
                               Vulnerability auditor,
                               Reverse engineer,
                               Exploit developer,
2/20/2012 16:16:31 4-7 years   Malware analyst        Yes               Python, C




                                                                        Bash Scripting,
                               Reverse engineer,                        Ruby, Python, C,
                               Malware analyst,                         PHP, Java, Batch
2/20/2012 16:17:20 7+ years    Log analyst           No, but it helps   Scripting
                                                       Good shell scripting   Bash Scripting,
                              Vulnerability auditor,   can get you by, but    Ruby, Python, C,
                              Penetration tester,      to write good shell    PHP, Java, Batch
                              Sys-admin, Incident      scripts you can        Scripting, C#, NO
2/20/2012 16:18:07 7+ years   response                 usually program        PERL? WTF! #FAIL
                                                                      Bash Scripting,
                                                                      Windows
                              Vulnerability auditor,                  Powershell, Ruby,
                              Penetration tester,                     Python, C, PHP,
                              Policy writer, PCI                      C++, Java, Batch
2/20/2012 16:18:15 7+ years   auditor, Log analyst No, but it helps   Scripting, Lua




                                                                      Bash Scripting,
                                                                      Windows
                                                                      Powershell, Python,
                                                                      C, PHP, C++, Java,
2/20/2012 16:20:28 7+ years                        No, but it helps   Batch Scripting, VB
                              Vulnerability auditor,
                              Policy writer,
                              Manager, Risk
2/20/2012 16:20:52 7+ years   management             No




2/20/2012 16:22:48 <1 year                          No, but it helps   C++




                                                                       Bash Scripting,
                              Vulnerability auditor,                   Python, C, PHP,
                              Penetration tester,                      language less
                              Manager, PCI                             important than
2/20/2012 16:24:02 7+ years   auditor                Yes               programming ability
                              Penetration tester,
                              Policy writer, Log      I think you need to
                              analyst, IDS/Firewall   have a basic          Bash Scripting,
                              admin, Sys-admin,       familiarity with      Ruby, Python, C,
2/20/2012 16:25:56 7+ years   Security Architect      multiple languages    C++, Java, VB
                               Vulnerability auditor,
                               Penetration tester,
                               Manager, Malware                      Windows
                               analyst, Log analyst,                 Powershell, Python,
2/20/2012 16:26:23 7+ years    IDS/Firewall admin No, but it helps   PHP

                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Reverse engineer,                     C, C++, Batch
2/20/2012 16:27:54 4-7 years   Sys-admin              Yes            Scripting



                                                                     Bash Scripting, C,
                               Log analyst,                          PHP, Java, Batch
2/20/2012 16:28:17 7+ years    Consultant/Vendor     Yes             Scripting, VB, Perl
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Python, Batch
2/20/2012 16:30:03 7+ years    Penetration tester     No, but it helps   Scripting, Perl




                                                                         Bash Scripting,
                                                                         Windows
                               Vulnerability auditor,                    Powershell, Ruby,
                               IDS/Firewall admin,                       Python, Batch
                               Sys-admin,                                Scripting, The ability
2/20/2012 16:33:49 4-7 years   Generalist             Yes                to understand them.




2/20/2012 16:33:55 1-3 years   Penetration tester    Yes                 C, PHP, Java
                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer,
                              Manager, Reverse
                              engineer, Exploit        To be effective, you
                              developer, Malware       need to learn bash, Bash Scripting,
                              analyst, Log analyst,    python, or pearl (a Python, C, VB,
2/20/2012 16:34:28 7+ years   IDS/Firewall admin       scripting language). Pearl




                              Vulnerability auditor,
                              Reverse engineer,                            Bash Scripting,
                              Exploit developer,                           Ruby, Python, PHP,
2/20/2012 16:35:47 7+ years   Malware analyst        No, but it helps      Batch Scripting




                                                                           Bash Scripting,
                              Vulnerability auditor,                       Windows
                              Penetration tester,                          Powershell, Ruby,
                              Policy writer, Log                           Python, PHP, Lua,
                              analyst, IDS/Firewall                        VB, ECMA in
2/20/2012 16:40:23 7+ years   admin                  Yes                   general
                                                                           Bash Scripting,
                                                                           Ruby, Python, C,
                               Vulnerability auditor,                      PHP, Batch
2/20/2012 16:41:14 1-3 years   Penetration tester     No, but it helps     Scripting


2/20/2012 16:41:43 1-3 years   developer             Yes                   Ruby, Python, PHP




                                                     I would say no, but
                                                     having seen some
                               Policy writer, Log    of the reports that
                               analyst, IDS/Firewall we get back I might
2/20/2012 16:43:59 4-7 years   admin, Sys-admin change my mind.
                               Log analyst,                              Bash Scripting,
                               IDS/Firewall admin,                       Python, Batch
2/20/2012 16:53:40 7+ years    Sys-admin           No, but it helps      Scripting




                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               Reverse engineer,                         Python, C, Batch
2/20/2012 16:57:27 1-3 years   Exploit developer      No, but it helps   Scripting



                               Vulnerability auditor,                    Bash Scripting,
2/20/2012 17:03:42 1-3 years   Penetration tester     No, but it helps   Ruby, Python
                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer, Log
                              analyst, IDS/Firewall
2/20/2012 17:17:08 7+ years   admin, Sys-admin No




                              Vulnerability auditor,                    Bash Scripting,
                              Penetration tester,                       Windows
                              Policy writer,                            Powershell, Ruby,
                              Manager, PCI                              Python, C, PHP,
                              auditor, Log analyst,                     Java, Batch
                              IDS/Firewall admin,                       Scripting, SQL,
2/20/2012 17:18:02 7+ years   Sys-admin              No, but it helps   Assembler, etc...
                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               Policy writer,                            Windows
                               IDS/Firewall admin,                       Powershell, Python,
2/20/2012 17:23:26 7+ years    Sys-admin              No, but it helps   C++, Java, Lua




                               Vulnerability auditor,
                               Policy writer, Log                        Bash Scripting,
                               analyst, IDS/Firewall                     Ruby, C, Batch
2/20/2012 17:24:37 4-7 years   admin                  Yes                Scripting
                                               depends - I would
                                               encourage someone
                                               to at least know
                                               some scriipting so    Windows
                                               that they would not   Powershell, Ruby,
                              Policy writer,   bother others too     Python, C, C++,
2/20/2012 17:40:22 7+ years   Manager          muchl.                Java, C#
                                                                   Bash Scripting,
                               Manager, PCI                        Python, Lua,
2/20/2012 17:48:49 7+ years    auditor            Yes              JavaScript/NodeJS




                               Vulnerability auditor,              Bash Scripting,
                               Penetration tester,                 Windows
                               Policy writer, PCI                  Powershell, Ruby,
                               auditor, IDS/Firewall               Python, Batch
2/20/2012 17:50:24 4-7 years   admin, Sys-admin No, but it helps   Scripting, VB




                               Penetration tester,
                               Policy writer, PCI
                               auditor, IDS/Firewall
2/20/2012 17:54:19 4-7 years   admin, Sys-admin No, but it helps   Python
                               Vulnerability auditor,                    Bash Scripting,
                               Penetration tester,                       Windows
                               IDS/Firewall admin,                       Powershell, Ruby,
2/20/2012 17:58:26 4-7 years   Sys-admin              No, but it helps   Python, Lua




                               Penetration tester,
                               Policy writer, Log                        Bash Scripting,
                               analyst, IDS/Firewall                     Ruby, Python, C++,
2/20/2012 18:21:22 7+ years    admin, Sys-admin No, but it helps         Java, Lua
                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, Batch
2/20/2012 18:31:45 4-7 years                         No, but it helps    Scripting, VB




                               Vulnerability auditor,
                               Penetration tester,
                               Log analyst,
                               IDS/Firewall admin,
                               Sys-admin, Incident                       Bash Scripting,
2/20/2012 18:35:03 7+ years    response               No, but it helps   Python
                               Log analyst,
                               IDS/Firewall admin,
2/20/2012 18:35:45 4-7 years   Sys-admin           Don't know




                                                                         Bash Scripting,
                               Vulnerability auditor,                    Windows
                               Penetration tester,                       Powershell, Python,
2/20/2012 18:38:05 4-7 years   Policy writer          No, but it helps   C, Java
                               Vulnerability auditor,
                               Policy writer,                            Bash Scripting,
                               Manager, Log                              Windows
                               analyst, Incident                         Powershell, Ruby,
2/20/2012 18:42:59 1-3 years   response               No, but it helps   Python, C




                               Penetration tester,
                               PCI auditor, Exploit
                               developer, Sys-                           Bash Scripting,
2/20/2012 18:47:28 4-7 years   admin, Helpdesk      No, but it helps     Python, C, PHP




                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, Python,
2/20/2012 18:47:50 7+ years    Manager               No, but it helps    perl



                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,                            Bash Scripting,
                               Manager, PCI                              Windows
                               auditor, Log analyst,                     Powershell, Ruby,
                               Sys-admin, IT                             Python, C, Java,
2/20/2012 18:49:05 7+ years    Forensices             No, but it helps   Batch Scripting, Lua
                               Reverse engineer,
                               Log analyst, Sys-                         Bash Scripting,
                               admin, Incident                           Ruby, Python, PHP,
2/20/2012 18:53:47 7+ years    response               Yes                Perl
                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, Ruby,
                                                     Yes, but            Python, PHP, Java,
2/20/2012 19:37:09 7+ years    Penetration tester    academically        Batch Scripting

                               Vulnerability auditor,
                               Policy writer, Log                        Bash Scripting,
                               analyst, Sys-admin,                       Ruby, Python, C,
2/20/2012 20:09:36 1-3 years   Incident response      No, but it helps   perl
                               Policy writer,                            Bash Scripting,
                               IDS/Firewall admin,                       Windows
2/20/2012 20:21:44 <1 year     Sys-admin              Don't know         Powershell




                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, C++,
                               Sys-admin,                                Batch Scripting, C#,
2/20/2012 20:24:22 1-3 years   Helpdesk              No, but it helps    DOS
                              Penetration tester,
                              Reverse engineer,
                              Malware analyst,
                              Sys-admin, Incident
                              response, IT                           Python, C, C++,
2/20/2012 20:33:03 <1 year    Forensices          No, but it helps   Java




                              Penetration tester,
2/20/2012 21:03:39 7+ years   Manager               No
                                                                         Bash Scripting,
                                                                         Windows
                               Vulnerability auditor,                    Powershell, Ruby,
                               Penetration tester,                       Python, C, PHP,
2/20/2012 21:07:46 1-3 years   Sys-admin              No, but it helps   Batch Scripting




                               Penetration tester,
                               Policy writer,
                               Manager, Incident                         Bash Scripting,
2/20/2012 21:08:09 7+ years    response              No, but it helps    Python, C++, Java



                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               Sys-admin,                                Ruby, Python, PHP,
2/20/2012 21:10:15 <1 year     hardware/whitebox No, but it helps        C++
                                                                       Any of the common
                                                                       ones like
2/20/2012 21:10:21 1-3 years   Manager              No, but it helps   C/C++/Pascal/PHP




                                                                       Bash Scripting,
                               Log analyst,                            Windows
                               IDS/Firewall admin,                     Powershell, Ruby,
                               Sys-admin, Incident                     Python, C, perl /
                               response, IT                            what ever lang you
2/20/2012 21:16:01 4-7 years   Forensices          No, but it helps    know
                               Vulnerability auditor,
                               Penetration tester,
                               Reverse engineer,
2/20/2012 21:23:03 4-7 years   Exploit developer      No, but it helps   Ruby, Python, PHP




                               Helpdesk, Incident                        As many as
2/20/2012 21:37:50 7+ years    response              No, but it helps    possible
                               Vulnerability auditor,
                               Manager,
                               IDS/Firewall admin,
2/20/2012 22:15:41 1-3 years   Sys-admin              No, but it helps   Python


                               Penetration tester,
                               Policy writer,
                               Manager, PCI                              Bash Scripting,
                               auditor, Incident                         Python,
                               response, IT                              Understanding a
2/20/2012 22:20:24 4-7 years   Forensices            No, but it helps    script basics
                                                      Sorry, I find the term
                                                      pen-tester to be
                                                      poorly defined. Do
                               Vulnerability auditor, you have to be able
                               Penetration tester, to code to do a
                               Policy writer,         network pentest?
                               Manager, Exploit       No, but it helps. Do
                               developer, Incident you have to be able
                               response,              to code to be an
                               Application Security application security Ruby, Python, C,
2/20/2012 22:22:19 4-7 years   Consultant             professional? Yes. PHP, C++, Java, C#




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Manager, Log
                               analyst, IDS/Firewall
                               admin, Sys-admin,                       Bash Scripting,
2/20/2012 22:33:39 7+ years    Incident response      Yes              Python, C
                               Vulnerability auditor,
                               Penetration tester,
                               PCI auditor,
                               Malware analyst,
                               IDS/Firewall admin,                       Bash Scripting,
2/20/2012 22:35:10 7+ years    Sys-admin              Yes                Python, C, PHP




                               Policy writer, Log
                               analyst, IDS/Firewall No, but you had
                               admin, Incident       better be able to   Bash Scripting,
2/20/2012 22:36:29 4-7 years   response              learn               Python, Perl
                                                                   Bash Scripting,
                                                                   Ruby, Python, C,
                                                                   PHP, C++, Java,
                               Policy writer,                      Batch Scripting, VB,
2/20/2012 23:00:13 1-3 years   Manager          No, but it helps   C#
                                                                   Bash Scripting,
                                                                   Windows
                                                                   Powershell, Python,
2/20/2012 23:08:07 1-3 years   Student          No, but it helps   PHP




                                                                   Python, C, PHP,
2/20/2012 23:08:42 1-3 years   Student          Yes                Perl




2/20/2012 23:13:08 1-3 years   Manager          Yes                Lua
                               Vulnerability auditor,
                               Log analyst,                           Bash Scripting,
2/20/2012 23:21:20 1-3 years   IDS/Firewall admin No, but it helps    Ruby, Python




                                                                      Bash Scripting,
                                                                      Python, Assembly
                                                                      Language is a
2/20/2012 23:21:48 7+ years    CIRT Team           No, but it helps   strong option.
                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
2/20/2012 23:25:52 1-3 years   big 4 consultant       No, but it helps   Batch Scripting
                              Vulnerability auditor,
                              Penetration tester,
                              Reverse engineer,
2/21/2012 0:14:54 7+ years    Exploit developer      No, but it helps   Python




                                                                        Bash Scripting,
                              Reverse engineer,                         Ruby, Python, C,
2/21/2012 3:16:46 1-3 years   Malware analyst       Yes                 Batch Scripting
2/21/2012 4:43:27 7+ years    Security Architect    Don't know          Bash Scripting




                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer,
                              Manager,
                              IDS/Firewall admin,
                              Sys-admin, Incident                       Ruby, Batch
2/21/2012 4:59:50 1-3 years   response               No, but it helps   Scripting



                              Vulnerability auditor,
                              Penetration tester,                       Windows
                              Policy writer,                            Powershell, Python,
2/21/2012 7:40:59 1-3 years   Manager                No, but it helps   Java


                              Sys-admin,                                Bash Scripting,
                              Helpdesk, Incident                        Python, C++, Batch
2/21/2012 8:05:50 <1 year     response              Yes                 Scripting


                              Log analyst,
2/21/2012 8:50:11 <1 year     Helpdesk              Don't know
                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer, Log                        Bash Scripting,
                               analyst, IDS/Firewall                     Windows
                               admin, Sys-admin,                         Powershell, Ruby,
                               Incident response,                        Python, Batch
2/21/2012 11:57:42 7+ years    IT Forensices          No, but it helps   Scripting



                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, PHP,
                               DoD CIO and 3'rd                          Batch Scripting,
                               party DAICAP                              ASP, ASPdotNET,
2/21/2012 12:43:09 7+ years    validator             No, but it helps    HTML

                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               IDS/Firewall admin,                       Bash Scripting,
                               Sys-admin,                                Windows
                               Helpdesk, Incident                        Powershell, Ruby,
2/21/2012 12:46:04 7+ years    response               No, but it helps   Python


                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Manager, PCI
                               auditor, Log analyst,
                               IDS/Firewall admin,                       Bash Scripting,
                               Sys-admin, Incident                       Windows
                               response, IT                              Powershell, Python,
2/21/2012 13:01:33 4-7 years   Forensices             Yes                C




                               Vulnerability auditor,
                               Penetration tester,
2/21/2012 13:15:13 7+ years    Project reviewer       No
                               Vulnerability auditor,                    Batch Scripting, VB,
                               Log analyst,                              autoit; these are
                               IDS/Firewall admin,                       what I am currently
                               Sys-admin,                                able to do, not
                               Helpdesk, Incident                        necessarily the best
2/21/2012 13:49:24 1-3 years   response               No, but it helps   reco




                               Penetration tester,
                               Manager, IT
                               Forensices, 24
                               years in physical
2/21/2012 14:00:28 7+ years    security, 3 in IT     No, but it helps

                               Vulnerability auditor,
                               Penetration tester,                       Python, C, PHP,
2/21/2012 14:04:27 1-3 years   Incident response      Yes                C++, Java
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Python, C, PHP,
                               Penetration tester,                       C++, Java, Batch
2/21/2012 14:07:47 7+ years    Policy writer          Yes                Scripting
                               Penetration tester,                       Bash Scripting,
                               Sys-admin, IT                             Ruby, Python, C,
2/21/2012 14:08:38 4-7 years   Forensices             No, but it helps   PHP


                               Reverse engineer,                         Bash Scripting,
2/21/2012 14:10:27 7+ years    Malware analyst       Yes                 Python, C
                                                                         Bash Scripting,
                               Sys-admin, DLP                            Windows
2/21/2012 14:16:29 1-3 years   Integrator            No, but it helps    Powershell, Python

                               Vulnerability auditor,
                               Policy writer,
                               Malware analyst,
                               IDS/Firewall admin,
                               Sys-admin,
                               Helpdesk, Incident
                               response, IT                              Bash Scripting,
2/21/2012 14:27:05 4-7 years   Forensices             No, but it helps   Ruby, Python




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Manager, Log                              Bash Scripting,
                               analyst, IDS/Firewall                     Batch Scripting, I
                               admin, Sys-admin,                         think the scripting is
                               Helpdesk, Incident                        mandatory but
                               response, FISMA                           anything else. Is a
2/21/2012 14:28:41 7+ years    Auditor                No, but it helps   huge plus
                               Penetration tester,
                               Log analyst,
                               IDS/Firewall admin,
                               Sys-admin,                                Bash Scripting, C,
2/21/2012 14:42:48 1-3 years   Helpdesk               Yes                Perl
                               Vulnerability auditor,
                               Manager,
                               IDS/Firewall admin,
                               Sys-admin, Incident
                               response, IT
2/21/2012 14:43:11 <1 year     Forensices             Don't know
                               Policy writer,                            Bash Scripting,
                               IDS/Firewall admin,                       Python, C, PHP,
                               Sys-admin, IT                             C++, Java, Batch
2/21/2012 15:08:37 1-3 years   Forensices             No, but it helps   Scripting, C#




                               Reverse engineer,                         Bash Scripting,
                               Log analyst, Sys-                         Ruby, Python, PHP,
                               admin, IT                                 C++, Batch
                               Forensices, telco                         Scripting, rb great
2/21/2012 15:21:48 4-7 years   related tracing       Yes                 for writting utilitys
                               Vulnerability auditor,
                               Penetration tester,
                               Log analyst,                              Bash Scripting,
                               Incident response,                        Windows
2/21/2012 15:32:13 4-7 years   IT Forensices          No, but it helps   Powershell, Python




                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               Log analyst,                              Windows
                               IDS/Firewall admin,                       Powershell, Ruby,
2/21/2012 15:57:33 1-3 years   Sys-admin              No, but it helps   Python, C++
                               IDS/Firewall admin,
                               Sys-admin, Incident
                               response, IT                              Bash Scripting, C,
2/21/2012 16:01:54 1-3 years   Forensices             Yes                perl



                               Vulnerability auditor,
                               Penetration tester,
                               Reverse engineer,                         Ruby, C, Perl and
2/21/2012 16:06:35 <1 year     Exploit developer      Yes                ASM
                                                                         Bash Scripting,
                                                                         Windows
2/21/2012 16:17:54 1-3 years   security analyst      Yes                 Powershell, Python



                               Manager, PCI
                               auditor, IDS/Firewall
                               admin, Sys-admin,                         Bash Scripting,
2/21/2012 16:42:09 1-3 years   Helpdesk              Yes                 Ruby, C++

                               Vulnerability auditor,                    Bash Scripting,
                               Malware analyst,                          Windows
                               Incident response,                        Powershell, Ruby,
2/21/2012 16:50:57 7+ years    IT Forensices          No, but it helps   Python, PHP
                               Penetration tester,
                               Policy writer,
                               Manager, PCI
                               auditor, Malware
                               analyst, Log analyst,
                               IDS/Firewall admin,
                               Sys-admin,
                               Helpdesk, Incident                       Windows
                               response, IT                             Powershell, Ruby,
                               Forensices,                              Python, Batch
2/21/2012 16:59:17 7+ years    Forensics             No, but it helps   Scripting, C#




                               Penetration tester,
                               Exploit developer,                       Bash Scripting,
2/21/2012 17:26:00 1-3 years   Sys-admin             Yes                Ruby, Python
                                                                        Bash Scripting,
                               Penetration tester,                      Windows
                               Policy writer,                           Powershell, Ruby,
                               Manager, Log                             Python, C, PHP,
                               analyst, IDS/Firewall                    C++, Java, Batch
                               admin, Sys-admin,                        Scripting, Lua, VB,
                               Incident response,                       C#, All you can
2/21/2012 17:28:03 4-7 years   IT Forensices         Yes                learn!
                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer, PCI
                               auditor, Log analyst,
                               IDS/Firewall admin,                       Bash Scripting,
                               Sys-admin, Incident                       Windows
                               response, IT                              Powershell, Python,
2/21/2012 18:37:40 7+ years    Forensices             No, but it helps   Batch Scripting
                               Reverse engineer,
                               Exploit developer,
2/21/2012 19:40:41 1-3 years   Malware analyst        No                 Ruby, Python, C




                                                                         Bash Scripting,
                                                                         Windows
2/21/2012 20:50:01 7+ years    Penetration tester    Yes                 Powershell, Ruby
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Ruby, Python, C,
                               Penetration tester,                       PHP, C++, Java,
                               Log analyst,                              Batch Scripting, VB,
                               IDS/Firewall admin,                       C#, Perl; be able to
                               Sys-admin,                                read code and pick
                               Helpdesk, Incident                        up a new language
2/21/2012 21:28:15 7+ years    response               No, but it helps   as needed




                                                                         Bash Scripting,
                                                                         Python, PHP, Batch
2/21/2012 21:32:58 4-7 years   Penetration tester    No, but it helps    Scripting




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer, PCI                        Windows
                               auditor, Log analyst,                     Powershell, Python,
2/21/2012 22:10:00 4-7 years   Helpdesk               No, but it helps   Batch Scripting
                                                                        Bash Scripting,
                              Penetration tester,                       Windows
                              Log analyst,                              Powershell, Ruby,
                              IDS/Firewall admin,                       Python, PHP, Batch
2/21/2012 22:53:21 <1 year    Sys-admin           No, but it helps      Scripting, VB, C#




                              Penetration tester,
                              Malware analyst,
                              Log analyst,
                              Incident response,                        Bash Scripting,
2/21/2012 23:34:20 7+ years   IT Forensices         No, but it helps    Ruby, Python


                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer,
                              Manager, Log
                              analyst, IDS/Firewall                     Bash Scripting,
                              admin, Sys-admin,                         Python, Batch
 2/22/2012 0:29:57 7+ years   Incident response      No, but it helps   Scripting
                               Vulnerability auditor,
                               Penetration tester,
                               Reverse engineer,
                               Exploit developer,
                               Malware analyst,
                               IDS/Firewall admin,                       Bash Scripting,
 2/22/2012 1:15:46 1-3 years   IT Forensices          Yes                Python, C, PHP

                               Vulnerability auditor,
                               Penetration tester,
                               Reverse engineer,                         Bash Scripting,
                               Exploit developer,                        Python, C, PHP,
 2/22/2012 1:18:08 1-3 years   Sys-admin              Yes                Perl

                                                                         Bash Scripting,
 2/22/2012 3:59:22 <1 year     Log analyst           Yes                 Python, Java




                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               Policy writer,                            Windows
                               Manager, PCI                              Powershell, Ruby,
                               auditor, IDS/Firewall                     Python, C, PHP,
 2/22/2012 8:59:47 7+ years    admin                  No, but it helps   C++




                               Malware analyst, IT                       Bash Scripting,
2/22/2012 12:02:40 1-3 years   Forensices          No, but it helps      Python, C
                               Vulnerability auditor,                    Bash Scripting,
                               Policy writer,                            Windows
                               Manager, IT                               Powershell, Ruby,
2/22/2012 12:18:12 7+ years    Forensices             No, but it helps   Python




                               Vulnerability auditor,                    Bash Scripting,
                               Log analyst,                              Windows
                               IDS/Firewall admin,                       Powershell, Ruby,
2/22/2012 14:09:28 4-7 years   Sys-admin              Yes                Python




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Manager, PCI
                               auditor, Log analyst,
                               IDS/Firewall admin,
                               Sys-admin, Incident
2/22/2012 15:07:48 4-7 years   response               No, but it helps   Ruby, Python, PHP
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Windows
                               Log analyst,                              Powershell, Ruby,
                               IDS/Firewall admin,                       Python, C, PHP,
                               Sys-admin, Incident                       C++, Java, Batch
2/22/2012 15:54:27 4-7 years   response               No, but it helps   Scripting
                               Vulnerability auditor,
                               Penetration tester,
                               Log analyst,                              Bash Scripting,
                               Incident response,                        Python, C, PHP,
                               IT Forensices,                            C++, Batch
2/22/2012 15:55:18 4-7 years   architect              No, but it helps   Scripting




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Manager, PCI
                               auditor, Log analyst,
                               Incident response,
                               IT Forensices, I am
                               a director, I do not
                               necessarily perform
                               all the duties I have
                               checked, I am
                               trained in each of
                               them (SANS certs)
                               and I develop and
                               manage the                                Python, PHP, C++,
2/22/2012 15:55:34 1-3 years   programs.              No, but it helps   Java
                                                                         Bash Scripting,
                               Penetration tester,                       Windows
                               Policy writer,                            Powershell, Ruby,
                               Manager, Incident                         Python, Batch
2/22/2012 16:01:48 4-7 years   response              Yes                 Scripting, Lua




                                                                         Bash Scripting,
                               Vulnerability auditor,                    Python, Batch
2/22/2012 16:17:39 <1 year     IT Forensices          No, but it helps   Scripting
                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               Policy writer, PCI                        Python, PHP, Batch
2/22/2012 16:56:43 4-7 years   auditor                No, but it helps   Scripting




                                                                         Bash Scripting,
                               Vulnerability auditor,                    Windows
                               Penetration tester,                       Powershell, Ruby,
                               Reverse engineer,                         Python, C, PHP,
                               Exploit developer,                        C++, Java, Batch
                               Malware analyst,                          Scripting, Lua, VB,
                               Incident response,                        C#, impossible to
                               IT Forensices,                            say depending on
2/22/2012 21:00:56 7+ years    Developer              Yes                job
                              Penetration tester,
                              Reverse engineer,
                              Malware analyst,                          Bash Scripting,
2/22/2012 22:06:55 7+ years   Log analyst           Yes                 Python, C, C++




                              Vulnerability auditor,
                              Policy writer,
                              Manager, Incident                         Bash Scripting,
                              response, risk                            Windows
2/22/2012 22:23:48 7+ years   manangement            No, but it helps   Powershell




                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer,
                              advisor, security                         Bash Scripting,
                              architect, director,                      Python, C, PHP,
 2/23/2012 1:56:08 7+ years   hacker                 No, but it helps   C++
                              Log analyst,
                              IDS/Firewall admin,
                              Sys-admin, Incident                     Windows
 2/23/2012 6:58:02 7+ years   response            Yes                 Powershell, Python




                                                                      Bash Scripting,
2/23/2012 10:58:32 7+ years   Penetration tester   No, but it helps   Ruby, C
                               Penetration tester,
                               Manager,
                               IDS/Firewall admin,
                               Sys-admin,                                Bash Scripting,
2/23/2012 13:52:01 4-7 years   Helpdesk            No, but it helps      Python, Java




                               Vulnerability auditor,                    Bash Scripting,
                               Policy writer, Log                        Windows
                               analyst, Sys-admin,                       Powershell, Python,
2/23/2012 16:17:33 7+ years    Incident response      No, but it helps   Batch Scripting
                                                                         Bash Scripting,
                               Penetration tester,                       Windows
                               Policy writer,                            Powershell, Ruby,
                               Manager,                                  Python, C, PHP,
                               IDS/Firewall admin,                       C++, Java, Batch
2/23/2012 20:50:52 7+ years    Sys-admin           No, but it helps      Scripting, C#


                               Vulnerability auditor,
                               Penetration tester,
                               Manager, PCI
                               auditor, Reverse                          Bash Scripting,
                               engineer, IT                              Ruby, Python, C,
2/23/2012 22:11:08 4-7 years   Forensices             Yes                PHP, C++, C#




                               Vulnerability auditor,
                               Penetration tester,
                               Exploit developer,                        Bash Scripting,
2/23/2012 23:51:38 7+ years    Incident response      No, but it helps   Batch Scripting
                                                         Bash Scripting,
                             Penetration tester,         Windows
                             Policy writer, IT           Powershell, Python,
2/24/2012 0:51:05 7+ years   Forensices            Yes   C, Batch Scripting
                               Vulnerability auditor,
                               Policy writer, Sys-
                               admin, Helpdesk,
                               Network                                   PHP, Java, Batch
 2/24/2012 3:44:52 7+ years    Admin/Architect        No, but it helps   Scripting




                               Penetration tester,
                               IDS/Firewall admin,
 2/24/2012 8:32:35 1-3 years   Sys-admin           Yes                   Ruby, PHP, Java




                                                                         Bash Scripting,
                               Penetration tester,                       Windows
                               Sys-admin,                                Powershell, Python,
2/24/2012 13:55:14 4-7 years   Helpdesk              No, but it helps    Batch Scripting
                               Vulnerability auditor,
                               Penetration tester,
                               Reverse engineer,
                               Exploit developer,                        Bash Scripting,
2/24/2012 14:26:52 7+ years    IT Forensices          Yes                Ruby, C, Lua, VB




                               Vulnerability auditor,
2/24/2012 14:34:43 1-3 years   Penetration tester     No, but it helps


                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer, PCI
                               auditor, Malware
                               analyst, Log analyst,                     Bash Scripting,
                               IDS/Firewall admin,                       Windows
                               Sys-admin,                                Powershell, Python,
                               Helpdesk, Incident                        C, PHP, C++, Batch
                               response, IT                              Scripting, VB,
2/24/2012 14:45:42 7+ years    Forensices             No, but it helps   Assembly




                               Malware analyst, IT                       C++, Batch
2/24/2012 14:59:07 1-3 years   Forensices          No, but it helps      Scripting




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer, Sys-
2/24/2012 14:59:22 7+ years    admin                  No, but it helps   Ruby, Python, C
                                                                       Bash Scripting,
2/24/2012 15:12:02 1-3 years   Penetration tester   No, but it helps   Python
                               Vulnerability auditor,                    Bash Scripting,
2/24/2012 15:14:03 4-7 years   Penetration tester     No, but it helps   Python, Perl
                                                                         Bash Scripting,
                                                                         Windows
                               Manager,                                  Powershell, Ruby,
                               IDS/Firewall admin,                       Python, C, Batch
2/24/2012 15:18:01 7+ years    Incident response   No, but it helps      Scripting, VB




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,                            Ruby, Python, C,
                               Manager, Malware                          Java, ASM,
                               analyst, Incident                         PASCAL (I refuse to
                               response, IT                              let this one go to
2/24/2012 15:23:08 4-7 years   Forensices             No, but it helps   waste!)
                               Manager, PCI
                               auditor, Log analyst,
                               IDS/Firewall admin,
                               Sys-admin,
                               Helpdesk, IT                              Bash Scripting,
2/24/2012 15:25:57 7+ years    Forensices            No, but it helps    Python




                               Vulnerability auditor,
                               Penetration tester,
2/24/2012 15:35:14 4-7 years   Sys-admin              No, but it helps   Bash Scripting, C




                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, Ruby,
2/24/2012 15:37:56 1-3 years   Sys-admin             Yes                 Python
                               Vulnerability auditor,       Bash Scripting,
2/24/2012 15:41:26 4-7 years   Penetration tester     Yes   Python, PHP




                               Penetration tester,          Ruby, Python, C,
2/24/2012 15:42:55 7+ years    Red Team member Yes          C++
                               Malware analyst,
                               Sys-admin, Incident
                               response, IT                           Bash Scripting,
2/24/2012 15:49:56 4-7 years   Forensices          No, but it helps   Python, C
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Windows
                               PCI auditor, Sys-                         Powershell, Ruby,
2/24/2012 15:51:00 4-7 years   admin                  No, but it helps   Python, Java, Perl
                                                      You should
                                                      understand how
                                                      computers work,
                               Vulnerability auditor, and progamming is Ruby, Python, Java,
2/24/2012 15:55:25 1-3 years   Penetration tester     one way           Perl




                               Vulnerability auditor,
                               Penetration tester,
                               Manager, Log
                               analyst, IDS/Firewall                     Windows
                               admin, Sys-admin,                         Powershell, Ruby,
                               Helpdesk, Incident                        Python, PHP, C++,
2/24/2012 16:04:22 7+ years    response               No, but it helps   Java, Lua, Perl
                                                                         Bash Scripting,
                                                                         Windows
                               Vulnerability auditor,                    Powershell, Python,
2/24/2012 16:12:14 7+ years    Penetration tester     Yes                PHP, C++




                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               PCI auditor, Log                          Windows
                               analyst, IDS/Firewall                     Powershell, Ruby,
                               admin, Sys-admin,                         Python, PHP, Batch
2/24/2012 16:15:15 7+ years    Helpdesk               Yes                Scripting, Lua, Perl


                               Vulnerability auditor,                    Bash Scripting,
2/24/2012 16:40:14 7+ years    Penetration tester     No, but it helps   Ruby, Python
                                                                         Bash Scripting,
2/24/2012 17:34:48 7+ years    Penetration tester    No, but it helps    Ruby, Python




                               Vulnerability auditor,
                               Policy writer,                            Bash Scripting,
                               Manager, Log                              Python, PHP, Java,
2/24/2012 17:54:19 4-7 years   analyst                No, but it helps   Batch Scripting, Perl

                               Vulnerability auditor,
                               Penetration tester,
                               Exploit developer,
                               Malware analyst,
                               Log analyst, Sys-                         Bash Scripting,
                               admin, Helpdesk, IT                       Python, Batch
2/24/2012 18:15:22 7+ years    Forensices             No, but it helps   Scripting, Perl
                                                     You have to be able
                               Manager, Sys-         to automate tasks -   Bash Scripting,
                               admin, Incident       which usually         Windows
                               response, Security    means scripting at    Powershell, Python,
2/24/2012 19:02:13 7+ years    "Architect"           the very least        Java, Perl




                               Penetration tester,                         Bash Scripting,
                               Sys-admin,                                  Python, C, PHP,
2/24/2012 19:14:23 1-3 years   Helpdesk              No, but it helps      Batch Scripting, Perl




                               Penetration tester,
                               Policy writer,
                               Manager, Reverse
                               engineer, Malware     It helps, but it really
                               analyst, Incident     depends on your
                               response, IT          focus and               Ruby, C, Java,
2/24/2012 20:28:12 7+ years    Forensices            requirements.           Batch Scripting




                               Policy writer,
                               Manager, Log
2/24/2012 20:33:12 7+ years    analyst, IDS analyst Yes                    Python
                               IDS/Firewall admin,
                               Helpdesk, Network                         Bash Scripting,
 2/25/2012 0:09:01 4-7 years   Signature Writer    Don't know            Python




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer, PCI
                               auditor, Log analyst,                     Bash Scripting,
                               IDS/Firewall admin,                       Windows
                               Sys-admin, Incident                       Powershell, Ruby,
 2/25/2012 3:59:21 7+ years    response               No, but it helps   Python, C, Perl




                               Malware analyst,
                               Log analyst,
                               IDS/Firewall admin,
                               Sys-admin, Incident
                               response, IT
2/25/2012 10:03:04 7+ years    Forensices          No, but it helps      Python
                               Vulnerability auditor,                    Bash Scripting,
                               Penetration tester,                       Windows
                               Log analyst,                              Powershell, Ruby,
                               IDS/Firewall admin,                       Python, C,
2/25/2012 12:39:05 7+ years    Incident response      No, but it helps   JavaScript




                               Penetration tester,
                               Policy writer, Log
                               analyst, Incident                         Bash Scripting,
2/25/2012 15:16:12 4-7 years   response              No, but it helps    Ruby, Python




                               Vulnerability auditor,
                               Penetration tester,
                               Manager, Reverse
                               engineer, Malware
                               analyst, Log analyst,                     Bash Scripting,
                               IDS/Firewall admin,                       Windows
                               Incident response,                        Powershell, Python,
2/25/2012 15:42:01 4-7 years   IT Forensices          No, but it helps   PHP, C++


                               Sys-admin, Incident                       Bash Scripting,
                               response, IT                              Batch Scripting, VB,
2/25/2012 15:50:13 7+ years    Forensices          Yes                   Perl
                                                                         Windows
                                                                         Powershell, Ruby,
                                                                         Python, C, Batch
2/25/2012 16:49:37 7+ years    Sys-admin             No, but it helps    Scripting, VB, Perl




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer, PCI
                               auditor, Log analyst,                     Bash Scripting,
2/25/2012 18:08:19 4-7 years   Incident response      Yes                Ruby, Python


                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               Policy writer, PCI                        Windows
                               auditor, Log analyst,                     Powershell, Batch
2/25/2012 21:21:30 7+ years    Incident response      No, but it helps   Scripting, Lua

                               Vulnerability auditor,
                               Penetration tester,
                               Reverse engineer,
                               IDS/Firewall admin,
                               Sys-admin,
                               Helpdesk, Incident                        Bash Scripting,
                               response, IT                              Python, C,
2/25/2012 21:58:09 7+ years    Forensices             Yes                assembly
                               Vulnerability auditor,                    Bash Scripting,
                               Penetration tester,                       Windows
                               Manager, Incident                         Powershell, Python,
 2/26/2012 5:13:03 7+ years    response               No, but it helps   Batch Scripting, Perl
                               Penetration tester,
                               Policy writer, Log
                               analyst, Incident                         Windows
                               response, IT                              Powershell, Ruby,
2/26/2012 11:08:44 7+ years    Forensices             No, but it helps   Python, Perl


                               Exploit developer,
                               Sys-admin, IT
2/26/2012 11:42:11 1-3 years   Forensices            No, but it helps    Ruby, Python, PHP




                               Penetration tester,
                               Exploit developer,
2/26/2012 15:41:23 <1 year     Sys-admin             No, but it helps    Ruby, Python, C
                                                                         Bash Scripting,
                                                                         Windows
                                                                         Powershell, Ruby,
                                                                         Python, C, PHP,
                                                                         C++, Java, Batch
                                                                         Scripting, Lua, VB,
                               Vulnerability auditor,                    C#, Perl, It cant hurt
                               Penetration tester,                       to know a little about
2/26/2012 16:04:54 4-7 years   Exploit developer      No, but it helps   everything!




                                                                         Windows
                                                                         Powershell, Python,
2/26/2012 18:44:44 7+ years    Architecture          No, but it helps    C, Batch Scripting
                               Policy writer, Log
                               analyst, IDS/Firewall              Bash Scripting,
                               admin, Sys-admin,                  Windows
                               Helpdesk, Incident                 Powershell, Python,
2/26/2012 22:00:12 4-7 years   response              Don't know   Batch Scripting, VB
                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer, PCI
                              auditor, Log analyst,
                              IDS/Firewall admin,                       Bash Scripting,
                              Sys-admin, IT                             Python, C, PHP,
2/26/2012 22:27:25 7+ years   Forensices             No, but it helps   C++, Java, Perl
                                                                        Bash Scripting,
                                                                        Windows
                              Vulnerability auditor,                    Powershell, Ruby,
                              Policy writer, Sys-                       Python, PHP, Java,
                              admin, Helpdesk,                          Batch Scripting, VB,
2/26/2012 22:43:57 7+ years   Incident response      No, but it helps   Perl




                              Vulnerability auditor,
                              Penetration tester,
                              Reverse engineer,
                              Exploit developer,                        Bash Scripting,
                              Malware analyst,                          Ruby, Python, C,
 2/27/2012 5:08:56 7+ years   Incident response      No, but it helps   PHP
                                                   You don't have to
                                                   be able to write
                                                   complete programs
                               Penetration tester, from scratch, but
                               IDS/Firewall admin, you need to know       Bash Scripting,
                               Sys-admin,          enough to be able to   Ruby, Python, C,
                               Helpdesk, Incident understand and edit     PHP, Batch
 2/27/2012 9:10:35 4-7 years   response            code                   Scripting




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Malware analyst,
                               Log analyst,
                               IDS/Firewall admin,                        Bash Scripting,
                               Sys-admin,                                 Windows
                               Helpdesk, Incident                         Powershell, Ruby,
2/27/2012 10:12:16 7+ years    response, C&A          No, but it helps    Python
                              Policy writer,
                              Manager, Sys-
                              admin, Operational                       Bash Scripting,
2/27/2012 19:10:50 7+ years   Security              No, but it helps   C++, VB




                              Penetration tester,
                              Policy writer,                           Bash Scripting,
                              Manager, Incident                        Windows
                              response, IT                             Powershell, Python,
2/27/2012 20:48:46 7+ years   Forensices            No, but it helps   Perl
                              Policy writer,
                              Manager, Log
                              analyst, IDS/Firewall
                              admin, Sys-admin,
                              Helpdesk, Incident
                              response, Safety                          Bash Scripting,
                              Inspector, Disaster                       Python, C, PHP,
                              Recovery/Business                         Perl, Understanding
2/28/2012 2:46:06 4-7 years   Continuity Planner No, but it helps       SQL helps



                              Vulnerability auditor,
                              Penetration tester,
                              Policy writer,
                              Manager, Log
                              analyst, IDS/Firewall                     Bash Scripting,
                              admin, Helpdesk,                          Python, C, Java,
2/28/2012 3:56:04 7+ years    Incident response      No, but it helps   Batch Scripting, Perl




                                                                        Bash Scripting,
3/1/2012 23:19:59 1-3 years   Student               No, but it helps    Python, C, Perl
                                                                       Bash Scripting,
                                                                       Windows
                              Sys-admin,                               Powershell, Ruby,
3/2/2012 21:08:28 <1 year     Helpdesk              No, but it helps   Python


                              Penetration tester,
                              Reverse engineer,
 3/5/2012 1:18:48 4-7 years   Exploit developer     No, but it helps   Python, C, C++




                              Penetration tester,
                              Log analyst,
                              IDS/Firewall admin,                      Bash Scripting,
3/6/2012 17:27:20 1-3 years   Incident response   Yes                  Python




                              Vulnerability auditor,
                              Penetration tester,
                              Reverse engineer,
                              Exploit developer,                       Bash Scripting,
                              IDS/Firewall admin,                      Ruby, Python, C,
3/6/2012 20:15:41 7+ years    Sys-admin              Yes               Java
                                                                         Bash Scripting,
 3/7/2012 21:34:25 1-3 years   Student               No, but it helps    Ruby




                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer, PCI
                               auditor, Incident
 3/8/2012 20:57:06 4-7 years   response               No



                               Vulnerability auditor,
                               Penetration tester,
                               Manager, Reverse
                               engineer, Exploit                         Bash Scripting, C,
3/10/2012 21:39:15 7+ years    developer              No, but it helps   Perl


                               Vulnerability auditor,
                               Penetration tester,
3/13/2012 13:26:23 4-7 years   Manager                Yes                C#
                                                                        Bash Scripting,
                                                                        Ruby, Python, PHP,
3/13/2012 15:28:01 4-7 years   sales engineer        No, but it helps   Java, Perl




                               Penetration tester,
                               Policy writer, Log
                               analyst, Helpdesk,                       Bash Scripting,
 3/14/2012 2:16:46 1-3 years   Incident response     No, but it helps   Python, PHP
                               Policy writer,
3/14/2012 12:04:49 7+ years    Manager               Yes




                               Vulnerability auditor,                    C, Batch Scripting,
3/15/2012 16:30:54 4-7 years   Penetration tester     No, but it helps   Perl


                                                                         Bash Scripting, C,
3/15/2012 23:16:04 1-3 years                         No, but it helps    PHP, Java, C#
                               military/ security as                     Bash Scripting,
 3/18/2012 7:48:58 <1 year     hobbyist                Don't know        Python, C++, Perl




                               Vulnerability auditor,
                               Penetration tester,
                               Manager,                                  Bash Scripting,
                               IDS/Firewall admin,                       Ruby, C, PHP, C++,
                               Sys-admin, IT                             Java, Batch
3/19/2012 19:21:40 <1 year     Forensices             No, but it helps   Scripting

                               Vulnerability auditor,
                               Policy writer,
                               Malware analyst,
                               Log analyst,
                               IDS/Firewall admin,
                               Sys-admin, Incident
3/19/2012 20:12:37 4-7 years   response               No, but it helps   C#, Perl

                               Vulnerability auditor,                    Bash Scripting,
                               Penetration tester,                       Windows
                               Exploit developer,                        Powershell, Ruby,
                               Malware analyst,                          Python, C++, Java,
 3/20/2012 1:46:16 <1 year     Helpdesk               Don't know         Perl
3/22/2012 12:33:43 1-3 years   full                  Don't know

                               Vulnerability auditor,
                               Penetration tester,
                               Exploit developer,
                               Malware analyst,                          Bash Scripting,
                               Log analyst,                              Windows
                               IDS/Firewall admin,                       Powershell, Python,
3/22/2012 14:57:52 7+ years    Sys-admin              No, but it helps   C, PHP, Perl

                               Vulnerability auditor,
                               Penetration tester,                       Bash Scripting,
                               IDS/Firewall admin,                       Python, PHP, Batch
3/23/2012 10:22:15 4-7 years   IT Forensices          No, but it helps   Scripting, Perl




                               Penetration tester,
                               Sys-admin, Incident                       Bash Scripting, C,
                               response, IT                              PHP, C++, Batch
3/26/2012 13:03:31 4-7 years   Forensices          No, but it helps      Scripting
                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Malware analyst,
                               Log analyst,
                               IDS/Firewall admin,
                               Sys-admin,
                               Helpdesk, Incident
                               response, IT                              Bash Scripting,
3/26/2012 13:52:10 4-7 years   Forensices             No, but it helps   Python




                                                                         Bash Scripting,
                                                                         Windows
                               Malware analyst,                          Powershell, Python,
                               Log analyst,                              C++, Batch
3/26/2012 23:49:38 7+ years    Researcher            No, but it helps    Scripting, Perl
                                                                         Bash Scripting,
                               Vulnerability auditor,                    Windows
                               Penetration tester,                       Powershell, Python,
                               Incident response,                        PHP, C++, Java,
3/29/2012 15:10:28 4-7 years   security architect     No, but it helps   Perl




                               Penetration tester,                       Bash Scripting,
 4/6/2012 20:25:53 7+ years    Manager               No, but it helps    Python, Perl



                                                                         Bash Scripting,
                                                                         PHP, Batch
4/12/2012 12:56:27 <1 year     Web Developer         Don't know          Scripting




                               Vulnerability auditor,                    Bash Scripting,
                               Penetration tester,                       Windows
                               Manager, IT                               Powershell, Python,
4/12/2012 14:57:44 7+ years    Forensices             No, but it helps   Perl
                               Penetration tester,
                               Sys-admin,
                               Helpdesk,                                Any scripting
4/16/2012 13:30:43 1-3 years   Programmer            No, but it helps   language



                               Vulnerability auditor,
                               Sys-admin, IT                            Bash Scripting,
 4/17/2012 0:49:16 1-3 years   Forensices             No                Python




                               Vulnerability auditor,
                               Penetration tester,                      Bash Scripting,
4/18/2012 15:00:54 4-7 years   Policy writer          Yes               Python
                                                                         Bash Scripting,
                                                                         Windows
                               Vulnerability auditor,                    Powershell, Ruby,
                               Penetration tester,                       Python, C, PHP,
                               Policy writer,                            Batch Scripting,
4/18/2012 15:11:45 4-7 years   Manager                No, but it helps   Perl, expect




                                                                         Bash Scripting,
4/18/2012 15:13:59 4-7 years   Manager               Yes                 Ruby, Python

                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Manager, Incident
                               response,
                               professional pain in
4/18/2012 15:15:34 7+ years    the arse               Yes                Python




                               Vulnerability auditor,
                               Reverse engineer,
                               Sys-admin, Incident
                               response, IT                              Bash Scripting, C,
4/18/2012 15:18:02 1-3 years   Forensices             Yes                PHP, Perl
                               Vulnerability auditor,
                               Reverse engineer,
                               Malware analyst,                          Bash Scripting,
                               Log analyst,                              Python, C, PHP,
                               IDS/Firewall admin,                       Know your target
                               Incident response,                        language (think web
4/18/2012 15:29:37 7+ years    IT Forensices          No, but it helps   attacks)




                               Vulnerability auditor,                    Bash Scripting,
4/18/2012 15:31:43 4-7 years   Penetration tester     Yes                Python




                                                                         Bash Scripting,
                                                                         Python, Batch
4/18/2012 15:36:35 1-3 years   Student               No, but it helps    Scripting
                               Vulnerability auditor,                    Bash Scripting,
                               Penetration tester,                       Windows
                               Policy writer,                            Powershell, really all
                               Manager, PCI                              of the above, but
                               auditor, Incident                         start with shell
4/18/2012 16:04:40 7+ years    response               No, but it helps   scripting




                                                                         Bash Scripting,
                               Vulnerability auditor,                    Windows
                               Penetration tester,                       Powershell, Ruby,
                               Log analyst,                              Python, Batch
4/18/2012 19:10:36 4-7 years   IDS/Firewall admin Yes                    Scripting
                               Policy writer,
                               Manager,
                               IDS/Firewall admin,
4/18/2012 22:45:55 7+ years    Incident response   No




 4/19/2012 1:09:44 7+ years    Manager               Don't know




                                                                         Bash Scripting,
4/19/2012 16:25:54 1-3 years   Student               No, but it helps    Python, C#, ASM

                               Vulnerability auditor,
                               Penetration tester,
                               Policy writer,
                               Malware analyst,
                               Log analyst,
                               IDS/Firewall admin,
                               Sys-admin, Incident
                               response, IT                              Bash Scripting,
4/20/2012 18:48:23 7+ years    Forensices             No, but it helps   Python, C, Perl
                              Vulnerability auditor,
                              Penetration tester,          Bash Scripting,
                              Policy writer,               Windows
                              Manager, PCI                 Powershell, Ruby,
                              auditor, Incident            Python, Batch
4/23/2012 15:20:54 7+ years   response               Yes   Scripting, Perl
                                           How did you get
 Are certifications                           your start in
      useful?         If so, which ones?       security?
                                         Realised I had a
                                         knack for it, started
                                         in the server team
                                         but made
                                         management aware
                                         I wanted in the
                                         internet team, 3
                                         months in I was
                                         moved over after 3
                                         guys up and left.
                                         Work realised they
                                         could get me at a
                                         cut down price and I
Yes - but only to get                    was happy to learn
through HR            CISSP              on the job.

                                         Went to lots of info
                                         sec events (2600,
                                         owasp, cons, etc)
                                         talked to people,
                                         read lots, took part
Yes - but only to get                    in UK Cybersecurity
through HR            Depends on the job Challenge.



                                       Offered position in
                                       security due to good
Yes                   SANS/GIAC, CISSP performance in work




                                         O'm a Java
                                         developer; got
                                         moved into role
                                         writing crypto-
                                         binding features.
                                         Went for Security+
Yes                   CISSP              then CISSP.
                                         Spent the past 4-5
                                         years in a systems
                                         administrator role.
                                         Security is at most
                      EC-Council (CEH    an add-on to the
                      etc), SANS/GIAC,   current job or a
Yes - but only to get CompTIA (Security+ hobby for the spare
through HR            etc)               time.
                                         I've always been in
                                         security at a very
                                         low level just trying
                                         to keep the network
                                         safe with what
                                         limited knowledge
                                         that I had. But what
                                         pushed me head
                                         over heals into the
                                         industry was that we
                                         got physically
                                         breached. I honestly
                                         believe that the best
                                         way to get into the
                                         industry is to
                                         experience a
                                         breach. It's like
                                         cooking. You need
                                         to burn a few dishes
                                         to realize what
                                         doesn't work. After
                                         the breach, I knew I
                                         never wanted
                                         another physical or
                                         electronic breach to
                                         happen again and it
                                         was now personal to
                                         me. I started
                                         listening in on IRC
                                         channels and kept
                                         my mouth shut. I
                    SANS/GIAC,           didn't know much,
Yes                 CISSP, OSCP          but everything that




                                         Working at large
                                         company. Was a
                                         software tester,
                                         Verification and
                                         validation stuff.
                                         Tracked down the
                                         Info sec group and
                                         started talking with
                                         them. Convinced
                                         them into letting me
                                         work part time for
                                         them to show I
                      EC-Council (CEH    could learn stuff, got
Yes - but only to get etc), SANS/GIAC,   brought on after a
through HR            CISSP              few months full time.
                      EC-Council (CEH
                      etc), SANS/GIAC,
                      CISSP, CompTIA     I recently went back
Yes                   (Security+ etc)    to school
                                        Picking up books on
                                        the topic and
                                        constantly asking
                                        questions to anyone
                                        who knew more
                                        than me until the
                                        pushed me away.
                                        I'm still trying to get
                                        a job that has
                                        "security" title in it,
                                        but my everyday
                                        goal is to
                                        incorporate security
                                        in my decision
                                        making and
                                        constantly push for
                                        greater things within
                                        the work place on
                                        security matters. On
                                        my personal time, it
                                        involves following
                                        members of the
                                        industry on twitter,
                                        RSS feeds, and
                                        independent
                                        research and
                                        personal projects.

                                        For clarification, my
                                        answer of 1-3 yrs in
                                        security involves my
                                        personal, committed
Yes                 SANS/GIAC           interest in security,

                                        In the days of dail-
                                        up internet my
                                        username and
                                        password got
                                        stolen, and since
                                        then I got interested
                                        in how are people
                                        doing that. I started
                                        stealing passwords
                                        myself and tried to
                      SANS/GIAC,        inform people of the
Yes - but only to get CISSP, CompTIA    security flaw that
through HR            (Security+ etc)   they had.
                                             Progression from
                                             system admin, lots
                        SANS/GIAC,           of hard work on my
Yes                     Offensive Security   own time




                                             Easy, aced the
                                             interviews and had
Yes - but only to get                        an open source
through HR                                   portfolio.

                                             Started as junior
                      EC-Council (CEH        sys/net-admin in a
                      etc), Vendor           datacentre; turns
                      specific, CHECK        out the rest of the
                      Team Leader            team didn't 'like'
                      (CREST/Tiger           security stuff, so got
                      Scheme), CHECK         passed all the
                      Team Member            security related jobs
Yes - but only to get (CREST/Tiger           noone else wanted
through HR            Scheme), CISSP         to do.

Yes - but only to get
through HR            CISSP
                                       Majored (B.S.) in
                                       Computer Science
                                       in college, took a
                                       concentration in
                                       Information
                                       Assurance. School
                                       sponsored my
                                       CISSP exam, which
                                       I passed first try
                                       right after
                                       graduation. Got a
                                       government job in
Yes - but only to get                  IA right out of
through HR            OSCP             college.




                                       I was a Windows
                                       admin who wanted
                                       to do something
                                       else. I started
                                       reading a lot of
                                       books and
                                       experimenting in my
Yes - but only to get Vendor specific, free time. The jump
through HR            SANS/GIAC, CISSP was natural.
                       I wrote a DES
                       cracker for a
                       undergraduate C
                       course, having
                       successfully
                       retrieved the
                       University library
                       card catalog
                       /etc/passwd file
                       through a TFTP
                       directory recursion
                       vulnerability. Got an
                       A on the project, but
                       also got hauled in
                       front of campus
                       security. The next
      Vendor specific, day, the university
Yes   SANS/GIAC, CISSP offered me a job.




                           Hobbyist to a
      SANS/GIAC,           degree in security at
Yes   Offensive Security   university.

                           Was a web dev got
                           a chance to ramp up
                           in sec, took it.
                           Been breaking shit
                           since i was 10 so
                           sec seemd like a
                           good choice, i was
                           convinced this was
                           my chosen path
                           after ph neutral and
                           meeting the good
                           people of this
                           wonderful
                           community :) \m/ \m/
                           Rock on! And good
Yes   SANS/GIAC            luck with the proj!
                   CHECK Team           Applied for a job in
                   Member               a new OpSec team
                   (CREST/Tiger         within my current
                   Scheme),             org. Sideways shift
Yes                SANS/GIAC            from wintel support.


                                        Breaking stuff in a
                                        lab at home,
                                        wasting lots of hours
                                        reading books,
                      EC-Council (CEH   manuals, looking at
                      etc), Vendor      packets passing on
                      specific, CHECK   zee wires, and
                      Team Leader       messing about with
                      (CREST/Tiger      debuggers, malware
                      Scheme), CHECK    samples and trying
                      Team Member       to defend a server
                      (CREST/Tiger      from multiple
                      Scheme),          attacks while also
                      SANS/GIAC,        attacking it and
Yes - but only to get CISSP, CompTIA    learning how attacks
through HR            (Security+ etc)   work.
                         I started as an IT
                         generalist. Security
                         always interested
                         me however when I
                         started my career,
                         dedicated InfoSec
                         positions were rare.
                         I started by
                         volunteering for any
                         security specific
                         activities/projects
                         within the
                         organization. When
                         it eventually became
                         time to move on in
                         my career I tailored
                         my resume,
                         highlighting my
                         security experience
      SANS/GIAC,         and joined a firm as
      CISSP, OSCP,       an IT Security &
      OSWP, OSCE,        Assurance
Yes   OSEE, OSWE         Consultant.




                         Anti-
Yes   SANS/GIAC          Piracy/Research




      CHECK Team
      Leader             HIPAA regulations
      (CREST/Tiger       forced my company
      Scheme), CHECK     to create a security
      Team Member        position. I was
      (CREST/Tiger       interested in it and
      Scheme),           told my supervisor I
Yes   SANS/GIAC, CISSP   wanted to take it.

                         After being a
                         developer and a
                         network
                         engineer/architect
                         for over a decade,
                         security was the
      EC-Council (CEH    best next step for
      etc), SANS/GIAC,   career development
      CISSP, CompTIA     without becoming a
Yes   (Security+ etc)    dedicated manager.
                         I started out in
                         general IT support
                         roles, and gradually
                         moved into a
                         system
                         administrator
                         position with a
                         company that put a
                         lot of focus into info
                         sec. I had to learn a
                         lot of auditing, and
                         how to secure our
                         systems. I earned
                         the CISSP
                         certification in 2007,
                         which open the door
                         for me to get my
                         current job as a
                         security engineer.

                       I've had a passion
                       for info sec for a
                       long time, and I
                       think that really
                       came out during my
                       interview. Even
                       though I'm not the
                       best, I'm always
Yes   SANS/GIAC, CISSP trying to learn more.
     As a Maths grad I
     took a grad job after
     uni (mon-IT) then
     after 2 years sought
     a change. Curiosity
     in IT and simply
     mentioning on a
     form that I would be
     interested in IT
     security landed me
     in a dept in which I
     have now stayed,
     roles varying, for the
No   past 10 years.
                                      While a programmer
                                      at a bank and one
                                      year out of
                                      undergrad, I got
                                      CompTIA's
                                      Security+
                                      certification and
                                      started applying for
                                      every entry level
                                      security gig I came
                                      across. After about
                                      3 months, I was
                                      hired at a utility that
                                      was spinning up a
                                      security operations
                                      center (SOC) as
                                      part of a 24x7 team
Yes                  SANS/GIAC, CISSP of eight.

                                           My connections I
                                           made on twitter got
                                           me 2 solid
                                           interviews when I hit
                                           rock bottom as a
                                           helpdesk guy.
                                           Without a doubt,
                                           twitter was crucial
                                           as a budding
                                           security person to
                                           connect and get my
                                           "name/handle" out
                                           there. It showed I
Yes - but only to get Offensive Security   was active and
through HR            PWB                  interested.
                                     During graduate
                                     school (back in
                                     2000), my advisor
                                     had a computer
                                     security research
                                     group. Through that
                                     and his influence, I
                                     got a job with the
                                     government doing
                                     security related
Yes                 SANS/GIAC, CISSP work.




                                        Prior military career
                                        started me in this
                                        direction as an
                                        administrator, but
                                        have more interest
                      EC-Council (CEH   since moving to a
Yes - but only to get etc), Vendor      more proactive
through HR            specific, CISSP   defensive stance


                                        20 years as network
                                        manager/engineer
                                        in HIPAA space,
                                        etc. where security
                                        was becoming more
                                        discussed and
Yes                 SANS/GIAC           implemented.
                                       Security has always
                                       interested me. I
                                       rekindled my love
                                       for security after
                                       watching how
                                       companies ignored
Yes - but only to get                  security issues and
through HR            SANS/GIAC, CISSP vulnerabilities.

                                        In college, spent
                                        time poking at
                                        systems. Didn't get
                                        into trouble, as it
                                        was a different time
                                        then.

                                        First job out of
                                        college involved
                                        designing and
                                        building what would
                                        eventually be called
                                        a Linux appliance.
                                        Back then, it was
                                        just a server. Had to
                                        protect data flowing
                                        each device, so got
                   SANS/GIAC,           involved from a
                   CISSP, CompTIA       system
                   (Security+ etc), See administration
Yes                email                perspective.
                                           Intern turned
                      EC-Council (CEH      employee in a
                      etc), CISSP,         compliance-based
Yes - but only to get CompTIA (Security+   managed hosting
through HR            etc)                 company.
                                         Started in the
                                         military as a 2651
                                         Secure
                                         Communicator/Intel
                                         SysAdmin, working
                                         on classified
                                         systems; so it was
                                         beat into me.
                                         However, I got out
                                         and did regular
                                         sysadmin stuff, but
                                         took on other roles
                                         as I was able to
                                         display
                                         interest/capabilities
                                         (as little they were).
                                         I always just kept up
                                         with the security
                                         scene as it was, and
                                         didn't get an actual
                                         "security" job until
                                         about 5 years ago.
                                         Thought that I would
                                         never get the job,
                                         but things I talked
                                         about, my
                                         experience, and
                                         passion for security
                      EC-Council (CEH    related things got
                      etc), SANS/GIAC,   me the job.
                      CISSP, CompTIA
Yes - but only to get (Security+ etc),   I was lucky...I didn't
through HR            OSCP               have certs or a

                                     started in 1994
                                     when tasked with
                                     portscanning our
                    Vendor specific, clients at a security
Yes                 SANS/GIAC, CISSP firm in new england.




                                         Started as a Sys
                                         Admin with an
                                         interest in InfoSec.
                                         Had an early
                      SANS/GIAC,         manager/mentor
Yes - but only to get CISSP, CompTIA     who encouraged me
through HR            (Security+ etc)    in the InfoSec field.
                                         Learned IT systems
                                         in depth Including
                                         Windows, Cisco,
                                         Novella and core
                                         network services
                                         (DNS, DHCP, etc.)
                                         Learned to use
                                         troubleshooting
                                         tools and
                                         understand what
                                         they revealed.
                      EC-Council (CEH    Learned to use
Yes - but only to get etc), SANS/GIAC,   "hacking" tools to
through HR            CISSP              troubleshoot.




                                         A class for CEH
                                         was being offered at
                                         a school I was
                                         attending for my
                                         MCSE. After taking
                                         the CEH course I
                                         found that their
                                         topics were vastly
                      EC-Council (CEH    dated so I began
                      etc), Vendor       doing my own
                      specific, CISSP,   research into a vast
Yes - but only to get CompTIA (Security+ variety of infosec
through HR            etc)               areas.

                                       I started as a Linux
                                       system
                                       administrator which
                                       did entail a little bit
                                       of security. I then
                                       moved to a role that
                                       required a little more
                                       security for various
                                       projects and
                                       eventually wanted to
                                       move to a full time
                                       security position. I
                                       then moved to
                                       Deloitte where I now
                                       work as a security
                                       consultant with a
                                       primary focus in
                                       vulnerability
Yes - but only to get                  asssessments and
through HR            SANS/GIAC, CISSP penetration testing.
                     CHECK Team
                     Leader
                     (CREST/Tiger
                     Scheme), CHECK
                     Team Member
                     (CREST/Tiger
Yes                  Scheme)


                                         Joined the Royal
                                         Corps of Signals
                                         several years ago,
                                         which is easy to get
                                         into, but very
                                         challenging. About
                                         18 months after I
                                         left, I was fortunate
                                         to get offered a
                      SANS/GIAC,         place at university
Yes - but only to get CompTIA (Security+ studying Information
through HR            etc)               Security.




                                       Solid background in
                                       system
                      CHECK Team       management.
                      Leader           Assisting the IT Sy
                      (CREST/Tiger     Officer. Promoted to
Yes - but only to get Scheme),         IT Sy Officer when
through HR            SANS/GIAC, CISSP vacancy opened.

                                          Began
                                          reading/studying
                                          security; my org
                                          found out and asked
                                          me to apply for a job
                                          transfer across the
                                          org.

                                      I was given on the
                                      job training because
                                      it was known that
                                      we needed a
                                      security person, but
                                      the department was
                                      immature in its
                                      understanding of the
Yes                  SANS/GIAC, CISSP position.
                                         Working on open
                      EC-Council (CEH    source projects and
Yes - but only to get etc), SANS/GIAC,   speaking at
through HR            CISSP              conferences
                                         Learned everything
                                         there is to know
                                         about UNIX
                                         operating systems,
                    EC-Council (CEH      especially their
No                  etc), SANS/GIAC      security features.


                                         I was a developer
                                         with a side-line in
                                         sysadmin/infrastruct
                                         ure; I looked after
                                         the Linux application
                                         servers and
                                         designed the N-tier
                                         architecture I
                                         wanted for my
                                         enterprise apps.

                                         Looking to progress
                                         into a pure
                                         architecture role, I
                                         joined a company
                                         as a Technical
                                         Solutions Architect
                    CHECK Team           who working with
                    Leader               central government
                    (CREST/Tiger         and defence clients,
                    Scheme), CHECK       which dictated
                    Team Member          specific security
                    (CREST/Tiger         requirements
                    Scheme),             including CHECK
Yes                 SANS/GIAC            testing.
                    EC-Council (CEH
                    etc), CHECK Team
                    Leader
                    (CREST/Tiger
                    Scheme), CISSP,
                    CompTIA (Security+
Yes                 etc)               Hobby




                                         My first "official"
                                         security job, I got
                                         after releasing from
                                         the Army. I moved
                                         directly into a
                    Offensive Security   Security Analyst
                    OSCP OSCE            position with the
Yes                 OSWP OSEE            government.




                                       UG was in
                                       Electronics. Got
                                       interested in crypto
                                       and network
                                       security, which led
                                       to working under a
                                       professor
                                       researching on
                                       effectiveness of web
                                       application firewalls.
                                       Got interested in
                                       security over all and
                                       went on to perform
                                       a Masters in
                                       InfoSec. Currently
Yes - but only to get                  working as a
through HR            SANS/GIAC, CISSP penetration tester.
                                       In my second last
                                       year of high school
                                       a friend introduced
                                       me to the backtrack
                                       distribution of Linux.
                                       It was from this
                                       point on that I
                                       seemed to gain
                                       interest in the field.
                                       Playing with various
                                       tools and trying to
                                       express my
                                       newfound
                                       knowledge in my
                                       classes was how I
                                       got to know the field
                                       in a herbal sense.
                                       Learning the
                                       technical aspects
                                       was nice but i
                                       wanted to learn the
                                       principles and
                                       businesses
                                       decicsions driving IT
                                       security. I am now a
                                       University graduate
                                       of a 3 year course
                    CHECK Team         with a major in IT
                    Leader             Security, going back
                    (CREST/Tiger       for a forth year of
                    Scheme), CISSP,    honours. I'm still not
                    CompTIA (Security+ as knowledable as i
Yes                 etc)               aimed to be but am



                                        writing/playing
Yes - but only to get                   hacks while
through HR            CISSP             attending university
                           I had absolutely no
                           technical experience
                           at all. Went to
                           graduate school for
                           political science,
                           only used a
                           computer as a word
                           processor. In the
                           mid 1990's, had a
                           friend who hired me
                           as an administrative
                           assistant supporting
                           a technical support
                           team for a proxy-
                           based firewall
                           software company
                           (when network
                           firewalls were
                           considered
                           emerging
                           technologies). After
                           six months of doing
                           admin work, one of
                           the technical team
                           members left and
                           my boss replaced
                           me with her - I had
                           to learn TCP/IP,
                           Unix administration,
                           security concepts
      SANS/GIAC,           like defense in
      CISSP, CompTIA       depth, etc, and
Yes   (Security+ etc)      firewall



      SANS/GIAC,
      CISSP, Offensive
      Security (PWB,
Yes   AWE etc)




      SANS/GIAC,
      CISSP, Offensive
      Security (PWB,
Yes   AWE etc)
      SANS/GIAC,
      Offensive Security
No    (PWB, AWE etc)


                           It was a natural
                           extension of my
No                         education.
                                         I started listening to
                                         podcasts at work,
                                         and then I picked up
                                         more and more
                                         podcasts, and
                                         eventually I ran out
                                         of pure linux casts
                                         that were not full of
                                         twits, so I went to
                                         security as well.
                                         From there
Yes - but only to get EC-Council (CEH    everything kind of
through HR            etc), CISSP        exploded.
                                         It became a natural
                                         next step from my
                                         sysadmin position. I
                                         moved into log
                                         analysis and
                                         incident response. I
                                         found that it was
                                         hard and moved to
                                         the red side after
Yes                 SANS/GIAC            that. :)
                                         Started working for
                                         a payment card
                                         transaction
                                         company after I've
                                         designed and
                                         created the
                                         entrance system
                                         used at a
                                         Scandinavian
Yes - but only to get                    Masters event in
through HR            CISSP              Sweden, 2003.

                                         I started in IT
                                         Consulting and
                                         gradually gained
                                         more security-
                                         related contracts
                                         like Firewall
                                         implementations/ma
                                         nagement, IDS
                                         monitoring/tuning,
                                         and eventually
                                         incident response.
                                         Many of the
                                         organizations I
                                         would consult for
                      EC-Council (CEH    had well-established
                      etc), SANS/GIAC,   IT departments, but
Yes - but only to get CISSP, CompTIA     very few had any
through HR            (Security+ etc)    security roles.
                                           Started reading
Yes                  SANS/GIAC             Richard Bejitlich




                                           Cracking Copy
                                           protection systems
                                           on the Commodore
                                           Amiga. Writing an
                                           underground disk
                                           magazine and
                                           writing articles about
                                           US Hackers (MoD,
                                           Sundevil, etc).
                                           Spending too much
                                           time on BBS's.

                                           Later on: being in
                                           the right place at the
                                           right time (having
                                           Linux skills in 1997,
                                           basically), rapidly
                                           getting sysadmin
                                           jobs and taking the
                                           lead on security
                                           issues early on,
                      Vendor specific,     then going full-time
                      SANS/GIAC,           infosec from there.
Yes - but only to get Offensive Security
through HR            (PWB, AWE etc)




                                           Started off as a
                                           developer, then
                                           worked as an
                                           admin, then as an
                                           internal operational
                                           security on a
                                           financial UNIX
                     CHECK Team            estate, before
                     Leader                current role at a
                     (CREST/Tiger          security
Yes                  Scheme)               consultancy.
                                          N/A, not currently
Yes - but only to get                     working in IT
through HR            Don't know          industry.


                                          I started by
                                          programming web
                     Offensive Security   applications and
Yes                  (PWB, AWE etc)       reading books
                                           I was fortunate
                                           enough to be able to
                                           run an independent
                                           IT consulting /
                                           managed services
                                           business for almost
                                           a decade outside of
                                           my previous day
                                           job. This
                                           background, plus an
                                           eventual MS in
                                           InfoSec and strong
                                           soft-skills, allowed
                                           me to look good
                                           enough on paper to
                      EC-Council (CEH      get the interview /
                      etc), SANS/GIAC,     job.
                      CISSP, CompTIA
                      (Security+ etc),     Oh yeah, luck had a
Yes - but only to get Offensive Security   huge part to play as
through HR            (PWB, AWE etc)       well.
                      EC-Council (CEH
                      etc), CHECK Team
                      Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member
                      (CREST/Tiger         migrated from Sys
                      Scheme),             Admin into firewall
                      SANS/GIAC,           management /
                      CISSP, CompTIA       InfoSEC (mainly
Yes                   (Security+ etc)      worked in ISPs)




                                           Necessity.
                                           I worked helpdesk
                                           for a non-profit, and
                                           after one time
                                           assisting out VP of
                                           Technology (an
                      Vendor specific,     MBA with no IT
                      SANS/GIAC,           experience) do
                      CISSP, CompTIA       incident response,
                      (Security+ etc),     everything security
Yes - but only to get Offensive Security   related flowed
through HR            (PWB, AWE etc)       through him to me.
                                             I was moved from a
                                             systems
                                             administrator role to
                                             Incident
                                             Management
                                             against my will.
                                             From there, I
                                             became a
                                             compliance jockey.
                                             From there, access
                                             controls. Then one
                                             of the managers I
                                             knew there gave me
                      Vendor specific,       a chance doing his
                      SANS/GIAC,             old job as a
                      CISSP, Offensive       Vulnerability
Yes - but only to get Security (PWB,         Management
through HR            AWE etc)               Engineer.


                                             I was always
                                             addicted to
                                             computers and how
                                             "technology works".
                                             I started slowly to be
                                             interested in pure
                                             security in parallel to
                                             my daily job. Then, I
                                             was hired by a
                      EC-Council (CEH        security consultancy
Yes                   etc), CISSP, CISA      company.
                      EC-Council (CEH
                      etc), Vendor
                      specific, CHECK
                      Team Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member
                      (CREST/Tiger
                      Scheme),               Military, but with no
                      SANS/GIAC,             promotion prospects
                      CISSP, CompTIA         or continued use of
                      (Security+ etc),       my skills I broke
                      Offensive Security     free and spread my
                      (PWB, AWE etc),        wings. Now I am in
                      Anything to get your   control of my own
                      door open and you      development,
Yes - but only to get in the role you        learning and
through HR            deserve                everything.
                           Started early in my
                           IT career when I
                           was given a copy of
                           LANalyzer and
                           worked out I could
                           read all the telnet
                           traffic for our main
                           mainframe system
                           (NHS system with
                           patient details). I
                           wrote a paper on
                           how a "hacker"
                           could make use of
                           this information and
                           based on that report
                           the NHS trust
                           upgraded to
                           switching hubs.

                           After that I dabbled
                           over the years in
                           different things,
                           managed firewalls,
                           VPN's, secure
                           wireless networks
                           that sort of thing.
      CHECK Team
      Member               Decided this year
      (CREST/Tiger         after 15 years in IT
      Scheme), CompTIA     to focus more on
      (Security+ etc),     InfoSec related
      Offensive Security   areas and build on
Yes   (PWB, AWE etc)       my knowledge.
                                          At first, by cracking
                                          stuff, I wanted to do
                                          something my
                                          brother (a C and
                                          assembly
                                          programmer) didn't
                                          want to do. I didn't
                                          know any language.

                                          Then I went on irc
                                          (best place to learn)
                                          and I learned
                                          assembly, C and
                                          python to dev my
                                          own tools.

                                         I continued to study
                                         protections and
                                         crackmes, at each
                                         time a little bit
                                         harder than the
                                         precedent.
                                         Some years after I
                                         played some CTFs
                                         and tried to
                                         fuzz/exploit things to
                                         improve my knowing
                                         in vulnerability
                                         auditor, exploitation
                                         and exotic
                                         platforms. Went to
                                         conferences, meet
No                                       some guys irl etc.
                                         Lived in very rural
                                         area, used BBSs to
                                         connect to others.
                                         Joined
                                         piracy/cracking
                      EC-Council (CEH    groups, then went
                      etc), SANS/GIAC,   legitimate route at
Yes - but only to get CompTIA (Security+ 18 to secure
through HR            etc)               networks.
                                             By curiosity as a kid.
                                             Learnt
                                             programming, learnt
                                             operating systems,
                                             read files from
                                             BBS's about
                                             hacking. Stopped
                                             blackhat stuff once
                      CHECK Team             some mates got in
                      Leader                 trouble with the law
                      (CREST/Tiger           over hacking. Kept it
                      Scheme), CHECK         grey/white hat since.
                      Team Member            Coding/reading
                      (CREST/Tiger           while working as a
                      Scheme),               defender. Decided
                      SANS/GIAC,             the other side has
                      Offensive Security     more fun, changed
                      (PWB, AWE etc),        careers and now a
                      Certs are usefull if   pen tester. Still
                      you learn from the     reading and coding
Yes - but only to get training, otherwise:   in my "spare time".
through HR            MEH
                                           Security guy for my
                                           last job asked me to
                                           help identify where
                                           we were exposing
                                           too many services.
                                           Started with printers
                                           and a PingPro scan
                                           and it just escalated
                                           from there. I then
                                           took over
                                           organizations
                                           default windows
                                           build docs, started
                                           doing assessment
                                           work and moved
                     Vendor specific,      over to security
                     CHECK Team            team after a year or
                     Leader                2 of doing security
                     (CREST/Tiger          in a non-security
                     Scheme), CHECK        role. Key point, don't
                     Team Member           wait for a security
                     (CREST/Tiger          job to show your org
                     Scheme),              you care about
                     SANS/GIAC,            security and
                     Offensive Security    have/develop the
                     (PWB, AWE etc),       skills to create
Yes                  OSSTMM certs          security value add.




                      EC-Council (CEH
                      etc), Vendor         Before I got a job
                      specific, CHECK      working in security I
                      Team Leader          just messed around
                      (CREST/Tiger         with it, ex-software
                      Scheme), CHECK       pirate etc.. but I got
                      Team Member          a job working to a
                      (CREST/Tiger         security software
                      Scheme),             company as a tech
                      SANS/GIAC,           support person who
                      CISSP, CompTIA       they have
                      (Security+ etc),     encourage me to
Yes - but only to get Offensive Security   expand and
through HR            (PWB, AWE etc)       provided training.
                                           First started in IT on
                                           a help desk. From
                                           there learned as
                                           much as I could
                                           about operating
                                           systems and
                                           networking (SNA
                                           and TCP/IP).
                                           Slowly started
                                           supporting servers
                                           and security
                        Vendor specific,   products.
                        SANS/GIAC,         Eventually went into
                        CISSP, CompTIA     security full time as
Yes                     (Security+ etc)    a manager.
                                           I'm in the process of
                                           exploring new
                                           opportunities in the
Yes - but only to get                      Security field, im not
through HR                                 in it yet




                                           Genera interest
                                           while in college, was
                                           hired post masters
Yes                     CISSP              degree.
                  I started reading
                  bout it during the dot
                  com bust, and
                  added some basic
                  security services to
                  my part time
                  consulting business.
                  Several months
                  later I answered an
                  ad posted by a
                  company looking for
                  a part time systems
                  administrator.
                  There was no retail
                  about the company
                  in the ad, and when
                  I got the call for the
                  interview I found out
                  that I would be
                  working for SANS. I
                  turned the part time
                  position into a full
                  time one and
                  learned all that I
Yes   SANS/GIAC   could.
                                           I had always been
                                           interested in
                                           computers and
                                           "hacking", and when
                                           I was young I was
                                           very fascinated with
                                           the phreaking
                                           scene. I tried to
                                           stay up to date with
                                           what was going on
                                           in the undergound,
                                           using sources such
                                           as BBSs and zines
                                           such as 2600.

                                           A long time ago I
                                           worked for the
                                           helpdesk, and the
                                           company that I was
                                           working for had a
                                           "AntiVirus Team".
                                           This team wanted
                                           someone from the
                                           helpdesk as a
                                           representative on
                                           the team. Because I
                     EC-Council (CEH       had experience
                     etc), Vendor          removing malware
                     specific,             they asked me to
                     SANS/GIAC,            the join the team.
                     CISSP, Offensive      This was my
                     Security (PWB,        introduction to the
Yes                  AWE etc)              Corporate Security


                      EC-Council (CEH
                      etc), CISSP,         Network and
Yes - but only to get Offensive Security   Systems
through HR            (PWB, AWE etc)       Administration


                                       Floppy viruses in
                                       the early 90's and
Yes - but only to get Vendor specific, the Atlanta 2600
through HR            SANS/GIAC, CISSP group.
                                           Independent
                                           vulnerability
                                           research and
                                           offensive
                                           technology
                                           research, freelance
                      SANS/GIAC,           pen testing, and an
Yes - but only to get Offensive Security   internship with a
through HR            (PWB, AWE etc)       pen test shop.




                                           This is hasty.

                                           Long time interest,
                                           Did internships,
                                           worked at tech
                                           shop, worked in
                      SANS/GIAC,           NOC, was promoted
                      CISSP, Offensive     to security engineer.
Yes - but only to get Security (PWB,
through HR            AWE etc)
                                           Used to play alot of
                                           hacking challenge
                                           games, such as net-
                                           force.nl and other
                                           sites on
                                           www.wechall.net.
                                           When I was
                                           searching for a job I
                                           typed in "hacker" in
                                           a job search site
                                           and 1 job showed
                                           up close to me.
                                           After applying I got
                                           the job right away.
No
                                         Military. Marines.
                                         Taught the basics
                                         then went to a 4
                                         year university
                                         where my
                                         knowledge became
                                         more generalized.
                                         Learned Java, VB,
                                         COBOL (yuk), and
                                         c. Then graduated
                                         worked for the big 4
                                         doing SOX,
                                         FISCAM, FISMA
                                         audits. Moved to a
                                         consulting firm
                                         where I took
                                         Offensive Security
                                         courses and taught
                                         myself python after
                                         work. Now I work in
                                         operational security
                                         writing custom SIEM
                                         rules, NAC rules,
                                         sourcefire rules, do
                                         RE on malware and
                                         COTS products and
                                         conduct pentesting
                                         on new builds, and
                                         incident response
                      SANS/GIAC,         when needed. So
                      CISSP, Offensive   my experience and
Yes - but only to get Security (PWB,     lesson is, get
through HR            AWE etc)           exposed to
                                         I studied computer
                                         engineering in
                                         college in a state
                                         with a large military-
                                         industrial complex. I
                                         was campus-
                                         interviewed and
                                         hired by a defense
Yes - but only to get EC-Council (CEH    contractor. The rest
through HR            etc), CISSP        is history.

                                     Started doing tech
                                     support, actually, for
                                     a vendor. Became
                                     passionate about
                                     security and
                    EC-Council (CEH  eventually got
                    etc), CHECK Team CISSP. Have
                    Member           worked mostly for
                    (CREST/Tiger     vendors but have
                    Scheme),         also worked in
Yes                 SANS/GIAC, CISSP "inside" IA.
                      SANS/GIAC,
                      CISSP, Offensive   i found I enjoyed,
Yes - but only to get Security (PWB,     and I applied for
through HR            AWE etc)           security work.
                                         Showing interest
Yes - but only to get EC-Council (CEH    around the office,
through HR            etc), CISSP        advocating an
                                         Developed often.
                                         interest a number of
                                         years ago while
                                         working as a sys
                                         admin/network
                                         engineer. Outside of
                                         work attended
                                         SANS training as a
                                         volunteer and
                                         earned GIAC.
                                         Followed up with
                                         other SANS certs
                                         through the work
                                         study and volunteer
                                         route. About 5 years
                                         ago earned my
                                         CISSP. That
                                         organization was
                                         not big enough to
                                         have a dedicated
                                         security person so
                                         about 3 years ago
                                         applied for a job
                                         with a different
                                         organization and
                                         was able to use my
                                         certs and
                                         experience to get a
                                         job in security. I
                                         have to say have
                                         the heldesk, sys
                                         admin, network
Yes                 SANS/GIAC            engineer
                                           Started as a
                                           Computer
                                           Technician,
                                           specializing in
                                           Apple. Was given
                                           an Apple sever to
                                           take care of
                                           because the
                                           Admin's didn't think
                                           it was a worthwhile
                                           endevor. I started
                                           hardening it
                                           becuase the
                                           students did what
                                           they wanted with it.
                                           Moved into
                                           Windows Admin
                                           because the Unix
                                           Admins thought it
                                           was beneth them.
                                           Again, the students
                                           had free reign of the
                                           systems, so I
                                           started hardening
                                           them. At that time, I
                                           started becoming
                                           interested in
                                           Security.

                                     For my next to jobs,
                                     I was mainly a
                                     System Admin.
Yes                 SANS/GIAC, CISSP Since I was a one



                      SANS/GIAC,           First I got a master's
                      CompTIA (Security+   degree in InfoSec.
                      etc), Offensive      After that I got my
Yes - but only to get Security (PWB,       first job as
through HR            AWE etc)             PenTester.
                                           By solving web
                                           security challenges
                                           on
Yes - but only to get                      www.hackthissite.or
through HR            CISSP                g . Cool days..
                                           My start actually
                                           came as a systems
                                           administrator and
                                           network engineer,
                                           when I started trying
                                           to bring principles to
                                           our customers of
                                           deploying secure
                                           networks. We
                                           weren't focusing on
                                           it as a company at
                                           the time, but I
                                           always tried to make
                                           sure good patching
                                           strategies were in
                                           place, proper
                                           password policy was
                                           developed,
                                           management of
                                           infrastructure
                                           equipment was
                                           using secure
                                           protocols, etc. Later
                                           on I took a job as a
                                           network
                                           administrator for a
                                           large industrial
                     EC-Council (CEH       mining firm, who
                     etc), SANS/GIAC,      had a really stable
                     CISSP, CompTIA        network, so I had a
                     (Security+ etc),      lot of time to play. I
                     Offensive Security    began to conduct
Yes                  (PWB, AWE etc)        vulnerability scans,




                                           Originally worked as
                                           generalist in IT, then
                                           as a Unix Sysadmin
                                           and Network
                                           Engineer. Always
                                           had security as goal
                                           as I got kicked out
                      SANS/GIAC,           of college course for
Yes - but only to get Offensive Security   "hacking". That was
through HR            (PWB, AWE etc)       20+ years ago...
                        I started as a
                        system admin. I
                        wanted to better
                        secure my systems
                        so started to dive
                        into proper
                        configurations. I
                        also saw a need in
                        managing the
                        organizations
                        firewalls and dove
Yes   SANS/GIAC         into that.




                       Web vulnerability
                       scanning as an
Yes   SANS/GIAC, CISSP intern
                                        I got into security by
                                        originally breaking
                                        into things and well
                                        being generally
                                        disruptive in a
                                        Fortune 500
                                        company while on
                                        the helpdesk in the
                                        early 90's. From
                                        there started
                                        focusing on security,
                                        after seeing this
                                        huge hole that no
                                        department was
                                        addressing, and
                                        worked for
                                        consutling firms
                                        Andersen
                                        Consulting, etc.

                                        Also with your list of
                                        Job Types above, I
                                        have pretty much
                                        done all roles listed
                                        at one point or
                                        another during my
                      EC-Council (CEH   career. This is why
Yes - but only to get etc), Vendor      I am now a
through HR            specific, CISSP   manager/mentor.
                         As a Network
                         Engineer/IT
                         Manager I was
                         asked in 1994/1995
                         to curate the move
                         of our company
                         (D&B and D&B
                         Software) online
                         and onto the
                         Internet. After
                         getting Internet
                         services from
                         PSINet, I spent
                         about a day or two
                         looking at the traffic
                         online and decided
                         we needed a
                         firewall. So I
                         contracted a
                         company to help
                         build the first Token
                         Ring based firewall -
                         based on Novell's
                         UNIX. As our use of
                         Internet expanded,
                         we moved to Check
                         Point on SUN and
                         started using VPN
      EC-Council (CEH    to connect remote
      etc), Vendor       offices at
      specific,          considerable
      SANS/GIAC,         savings and
Yes   CISSP, ISACA       increasing network




                         Went through the
                         ranks tech to
                         manager. I was
                         always anal about
                         security, before it
                         was cool.
Yes   SANS/GIAC, CISSP




      EC-Council (CEH    Government
      etc), SANS/GIAC,   Regulation of
Yes   CISSP              Employers Industry
                         I wanted to know
                         how to better defend
                         the systems that I
                         was administrating.
                         That desire to learn
                         quickly turned into
                         an obsession and a
                         passion for staying
                         updated and
                         informed. To know
                         the latest exploits
                         that were being
                         used, and testing
                         them against my
                         systems to ensure
                         that we were
                         protected against
                         them.
                         That lead to full-out
                         penetration testing
                         and Red Teaming
                         efforts and before
                         long, I switched
                         roles from a Sys-
                         admin into a Red
                         Team analyst.
                         I also had a desire
      EC-Council (CEH    to help other
      etc), CISSP,       companies, so I
      CompTIA (Security+ created a private
      etc), Offensive    company to perform
      Security (PWB,     3rd party
Yes   AWE etc)           penetration tests




                          A challenge from
                          one of my
                          customers, that I
                          would not be able to
                          penetrate their
No    none                firewall systems
                           How far back to go?

                           When I took my
                           university courses in
                           Network
                           Administration I
                           found the security
                           content to be
                           facinating. I
                           acquiring a security
                           certificate out of that
                           course (SCNP) as
                           well as Windows
                           and Linux admin
                           (MCSA, Linux+).

                           A couple of years as
                           Network Admin,
                           then some time in
                           tech support for a
                           different employer
                           and a 'new' Security
                           Analyst position was
                           created to support
                           the existing Security
                           Specialist.

      Vendor specific,     I was working in IT,
      SANS/GIAC,           my security
      CISSP, CompTIA       certification was
      (Security+ etc),     current, I had a
      Offensive Security   good reputation with
Yes   (PWB, AWE etc)       my co-workers and I



                           After years of being
                           responsible for
                           Security as a
                           Network and later
                           System's Architect, I
                           got a break and was
                           hired on as a
                           Information Security
                           Specialist.

                           My observation is
                           that getting a 'break'
                           is the real in, for the
                           Security Field.
                           Previous experience
                           helps the sell, but
                           really most positions
                           are interested in
                           knowing that you've
                           had previous
Yes   SANS/GIAC            security titles.
                                           Worked as a low-
                                           level IT-tech and got
                                           an offer to
                                           "upgrade" to
                                           security
                                           administrator. After
                                           that, I got stuck
                                           doing access control
                                           stuff because no
                                           one else "got it". Got
                                           drafted into
                                           perimeter protection
                                           mostly becasue I
                                           knew some basic
                                           security concepts
                                           and some network
                                           stuff, and after that
                                           my interest really
                                           took off with
                                           trainings, etc.

                     SANS/GIAC,            You could say I
                     CISSP, CompTIA        slipped in on a
Yes                  (Security+ etc)       banana shell.




                                           I did a few
                                           certifications, and
                                           applied in many
                                           firms, got some
                                           offers from training
                                           institutes but wanted
                                           to be in main
                                           stream, then gave
                      EC-Council (CEH      my first interview in
                      etc), SANS/GIAC,     an organisation with
                      CISSP, CompTIA       the contact i got
                      (Security+ etc),     from a linkedin and
Yes - but only to get Offensive Security   cracked the
through HR            (PWB, AWE etc)       interview, now m in.
                    EC-Council (CEH
                    etc), CHECK Team
                    Leader
                    (CREST/Tiger
                    Scheme), CHECK
                    Team Member            DWP project that
                    (CREST/Tiger           required business to
                    Scheme), CISSP,        abide by ISO27002
                    Offensive Security     controls. I got
Yes                 (PWB, AWE etc)         volunteered.




                                           The movie
                                           "Hackers" inspired
Yes - but only to get                      me when i was
through HR            SANS/GIAC            young.



                      CHECK Team
                      Leader
                      (CREST/Tiger
                      Scheme), CHECK       Graduate
                      Team Member          recruitment program
                      (CREST/Tiger         followed by keen
                      Scheme), Offensive   interest in any
Yes - but only to get Security (PWB,       security related
through HR            AWE etc)             work which came up
                                           Assisting system
                                           administrators when
                                           triaging systems
                                           that had been
                                           hacked. Also at the
                                           same time, I was
                                           assisting customers
                    SANS/GIAC,             with incident
                    Offensive Security     response on their
Yes                 (PWB, AWE etc)         systems.


                    EC-Council (CEH
Yes                 etc), SANS/GIAC        Job
                                     I worked in a large
                                     financial financial
                                     institution in the
                                     messaging and
                                     collaborative
                                     computing group
                                     (email, IM, etc). I
                                     worked closely with
                                     our info sec team on
                                     offering services on
                                     the internet. That
                                     team hired me as a
                                     security consultant.
                                     So I was hired
                                     based on both my
                                     tech and soft skills,
                                     even though I didn't
                                     have a background
                                     in info sec, I had
                                     been exposed to it,
                                     and the hiring
                                     manager figured I
                                     could learn on the
                                     job with some
Yes                 SANS/GIAC, CISSP training.



Yes - but only to get Vendor specific,   Dreaming of being a
through HR            SANS/GIAC, CISSP pentester
                      SANS/GIAC,
                      Offensive Security
Yes                   (PWB, AWE etc)     Personal Interest




                    SANS/GIAC,          As a soldier in the
                    CISSP, CompTIA      communications
Yes                 (Security+ etc)     field, US Army.
                                        Note: The job types
                                        chosen above are
                                        the jobs that I am
                                        interested in doing.

                                        I have not yet
                                        started working in
                                        InfoSec industry but
                                        I am currently
                                        undertaking study
                                        (post graduate) in
                                        Information
                                        Assurance and
                                        Security.

                                       Currently I work
                                       fulltime as a
                                       Systems Tester
                                       (mainly mainframe
                                       testing) for a
Yes - but only to get                  government
through HR            SANS/GIAC, CISSP organisation. of
                                       By having a lot
                                       the right friends and
                                       a few of the wrong
                                       ones. ;-)

                                        Learning on my own
                                        through college and
                                        after college,
                                        working from the
                                        ground up at entry
                                        positions in tech
                                        repair and help
                                        desk, then doing
                                        sysadmin work with
                                        lockpicking on the
                                        side as a hobby.

                                        Having to fix my
                                        own things and
                                        break my own
                                        things, taught only
                                        from what i could
                                        read. Then one day
                                        as a trainer at Black
                                        Hat, now SANS,
                                        then friends in the
                                        community and i
                                        started getting job
                                        offers, but instead
                                        have our own
                                        company.

No                                      Interest leads to
                                         I've been interested
                                         in security for years.
                                         Been studying on
                                         my own. Going to
                                         conferences,
                                         reading blogs,
                                         twitter, etc. I got on
                                         with a medium sized
                                         company that has
                                         really started to
                                         grow the last two
                                         years. Because I
                                         was a sysadmin that
                                         knew security I got
                                         to become the
                                         security guy. I still
                                         don't do it full-time
                                         as there are few
                     SANS/GIAC,          who can pick up my
                     CISSP, Offensive    other
                     Security (PWB,      responsibilities, but
Yes                  AWE etc)            I'm getting there.


                                         as a young teen
                                         took computer
                                         classes and figured
                                         out how to hack the
                                         mainframe's mud to
                                         allow me more time.
                                         teacher saw this
                                         and pointed me to
                                         security books.
                                         ended up getting
                                         referred to a guy at
                                         kpmg and they
                                         eventually hired me
                                         after university (i
                                         also got fired for
                                         hacking into one of
                                         their clients before i
Yes - but only to get Vendor specific,   graduated and that
through HR            CISSP, ceh         sealed the deal lol)



                     SANS/GIAC,
                     CISSP, CompTIA
                     (Security+ etc),    offshoot of repairing
Yes                  linux+,cisco/ms     computers
                                         Got lucky... I was in
                                         IT already as a tech
                                         support/programmer
                                         . I looked for a job
                                         that would move me
                                         into the next step of
                                         network admin (or
                                         the like) and ended
                                         up finding a small
                                         start up type
                                         company that was
                                         willing to train if you
                                         had the basics. (I
                                         had some certs like
                                         MCSE, and
Yes - but only to get                    Security+ already so
through HR                               they took me on.)
                                         I got my start in the
                                         first NOC I worked
                                         in. Between the
                                         spam complaint line
                                         and the time we
                                         were hacked, it lead
                                         to a lot of great
                                         ways to learn.

                                         From there my first
                                         hit that I'd be
                                         interested in
                                         security was the fact
                                         that was the section
                                         I scored highest in
                                         on my CCNA in the
                                         late 90s. I spent
                                         more time
                                         bypassing company
                                         policy than caring
                                         about security, until
                                         the firewall admin
                                         said one day, ok
                                         smarty pants, you
                                         keep getting past
                                         me, you manage it.
                                         Since then, I've
                                         gotten in to packet
                      Vendor specific,   captures in a new
                      CompTIA (Security+ way, lots of firewall
                      etc), Offensive    experience, and am
Yes - but only to get Security (PWB,     slightly anal about
through HR            AWE etc)           reading my logs.
                                           Watched "Hackers"
                                           when I was in
                                           middle school,
                                           decided it was bull
                                           shit and wanted to
                                           learn more. Spent
                                           most of my free time
                                           in High School
                                           reading and
                                           learning. When I got
                                           to college I was able
                                           to go to Shmoocon
                                           and meet some
                                           people who were
                                           very active in the
                                           community. I used
                                           these contacts as
                                           examples and
                                           continued learning
                                           and teaching. I
                                           started on the IT
                                           Help Desk at my
                                           College to get
                                           access to the
                                           InfoSec people.
                                           After my 2nt
                                           shmoocon I took the
                                           opportunity to take
                                           my notes and some
                                           free swag down to
                      SANS/GIAC,           the InfoSec guys.
Yes - but only to get Offensive Security   This made a good
through HR            (PWB, AWE etc)       impression and I




                                           Looking up best
                                           practices on setting
                                           up a wireless
                                           network. Link
                                           directed me to
                                           netstumbler.com,
                                           met some really
Yes - but only to get                      cool dudes, the rest
through HR            Depends on HR....    is history.
                                       Experimenting with
                                       reverse engineering
                                       software to bypass
                                       license
                                       requirements.
                                       Professionally
                                       started as a System
                                       Admin and got my
                                       Masters in
                                       Information Security
                                       (with a focus in IDS
                                       research). Went on
                                       trying out web
                                       application
Yes - but only to get                  penetration testing
through HR                             and auditing.

                      CHECK Team
                      Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member      Working hard /
Yes - but only to get (CREST/Tiger     contacts / good CV /
through HR            Scheme)          good customer skills
     I was very active in
     a Linux user group. I
     had a personal
     interest in both
     securing and
     auditing the security
     of servers and
     networks. I started
     giving presentations
     at my LUG on how
     to lock down Linux
     boxes and how to
     use common tools
     for penetration
     testing. After I
     graduated with a
     Computer Science
     degree I went to
     work as a web
     application
     developer. I enjoyed
     the technical work
     but was bored by
     the products I was
     working on so I
     applied for entry
     level positions in
     application security
     consulting firms.
     One of them hired
No   me.




     Shoulder-tapped
     from a Unix admin
     role in a government
No   department.
                                        It really started for
                                        me when a friend
                                        gave me access to
                                        his VMS account at
                                        a local college. I had
                                        no idea what I was
                                        doing on the system
                                        as I was only
                                        familiar with DOS
                                        and windows at the
                                        time. After spending
                                        a lot of time learning
                                        the system, I found
                                        my self chatting with
                                        other users of the
                                        system. This lead
                                        me accessing other
                                        system within the
                                        college that I
                                        probably shouldn't
                                        have been allowed
                                        to. Not bad for a 12
                                        year old :-) This
                                        exploration and
                                        intense curiosity
                   Offensive Security   drove me to learn as
Yes                (PWB, AWE etc)       much as I could.


                                        I was all ways
                                        intrested in how
                                        things break. started
                                        with your basic
                                        pranks on the
                                        school networks
                                        then in my
                                        professional life I
                                        spent a few years in
                                        the dredges of IT
                                        (help desk). I made
                                        known my intrest in
                                        security and tryed to
                                        be involved anyway
                                        I could. I got the the
                                        point where I had to
                                        change companys
                                        to do security work
                                        full time. I made the
Yes - but only to get SANS/GIAC,        jump and have not
through HR            CISSP, CBA        looked back.
                                           Internship in a dev
                                           shop responsible for
                                           maintaining a
                                           wireless security
Yes                     CISSP              scanner product


Yes - but only to get
through HR
                                           A frend brought me
                                           to a hacking forum.
                                           At first it was just
                                           funny(skid) but after
                                           a few months, I
                                           really started to get
                                           interested in
                                           security and
                                           pentesting. So I
                                           started with
                      CISSP, CompTIA       websecurity and I'm
                      (Security+ etc),     going to start
Yes - but only to get Offensive Security   looking more into
through HR            (PWB, AWE etc)       appsec soon.


                                           Hacking stuff online.
                                           Reading papers.
Yes                     SANS/GIAC          Educating myself.
                                         Started at my
                                         current company as
                                         a NOC tech then
                                         after five long years
                                         I was promoted to
                                         Network Engineer. I
                                         spent three years at
                                         a Network
                                         Engineering while
                                         getting to know our
                                         systems and our
                                         security team. A job
                                         opening came up in
                                         the Information
                                         Security Department
                                         and I was hired.
                                         Since then been
                      SANS/GIAC,         promoted to Senior
                      CISSP, Offensive   but pretty much
Yes - but only to get Security (PWB,     have the same
through HR            AWE etc)           functionality.




                                         An existing job just
                                         morphed into a
                                         security position and
                      SANS/GIAC,         I went along for the
                      CISSP, Offensive   ride. Learned to like
Yes - but only to get Security (PWB,     it and I have been
through HR            AWE etc)           there ever since.
                                           I started with an IT
                                           internship at a
                                           startup that had me
                                           fixing their network
                                           infrastructure,
                                           desktop support,
                                           vpn troubleshooting,
                                           ip telephony, server
                                           support, linux, etc,
                                           etc. I was the
                                           general go-to
                                           person for all tech
                                           related problems,
                                           but never the
                                           person to talk to
                                           before the problem
                                           was created. Slowly
                                           I began to convince
                                           people around me
                                           that i knew
                                           something, and was
                                           eventually
                                           proposing major
                                           changes to the
                                           infrastructure etc,
                                           until i was the go-to
                                           person for upper
                                           management (VPs,
                      SANS/GIAC,           C-levels).
                      CISSP, CompTIA
                      (Security+ etc),     I then decided to
Yes - but only to get Offensive Security   move on from the
through HR            (PWB, AWE etc)       startup and join the
                                       Someone broke into
                                       my computer. After
                                       which I wanted to
                                       know how and why
                                       so I started coding
                                       and figuring things
                                       out. Eventually met
                                       a friend wh
                                       convinced me to go
                                       to a conference,
                                       after that
                                       conference met
                                       more people and it
Yes - but only to get                  snowballed from
through HR            SANS/GIAC, CISSP there.




                                       I first really got
                                       exposure to security
                                       world a few years
                                       ago in college.
                                       Aside from what is
                                       taught in a CS
                                       program, just about
                                       everything I have
                                       learned on my own,
                                       from websites,
                                       presentations, and
                                       challenges. But
                                       learning and
                                       intelligence doesn't
                                       get you places. That
                                       happened after I
                                       started writing tools,
                                       exploits, and doing
                                       and releasing my
                                       own research. I
                                       consider a strong C
                                       programming skill
                                       set essential to RE,
                                       exploit
Yes - but only to get                  development, and
through HR            SANS/GIAC        malware analysis.
                                           building linux
                                           systems to glue
                                           together clients and
                                           servers between
                                           security zones and
                                           character
                                           encodings, then
                                           system
                                           administration,
                                           moving into
                                           firewall/network
Yes                     SANS/GIAC          security.

                                         Through
                                         Administration of
                                         security devices -
                                         firewalls, IDS,
                                         content filtering, AV,
                                         etc. However
                                         started with
                                         Helpdesk calls,
                                         backups, networking
                        Vendor specific, and server
Yes                     SANS/GIAC, CISSP administration.




                                           Reading an pen-test
                                           on an application I
No                                         made


                                           Protecting what
                                           needs to be
Yes                                        protected.
                                           Started working as
                                           general support for
Yes - but only to get                      an Anti-virus
through HR                                 vendor.
                                         I wrote a thesis on
                                         Firewalls during my
                                         studies. In my first
                                         job after that the
                                         largest customer
                                         asked if we could
                                         come up with a
                                         managed firewall
                                         solution. I designed
                    EC-Council (CEH      the solution and the
                    etc), Vendor         management
                    specific,            procedures for it. I
                    SANS/GIAC,           also helped write
                    CISSP, Offensive     the customers
                    Security (PWB,       Internet security
Yes                 AWE etc)             policy.




                                         network admin,
                    EC-Council (CEH      evolved into
                    etc), Vendor         Information
Yes                 specific, CISSP      Assurance



                                         worked for a
                      EC-Council (CEH    Security reseller
                      etc), SANS/GIAC,   doing low-level
Yes - but only to get CISSP, CompTIA     helpdesk, worked
through HR            (Security+ etc)    through organisation




                                         Had a passion for
                                         the hacker culture
                      Vendor specific,   since my first taste
                      SANS/GIAC,         of the dark side of
Yes - but only to get CISSP, CompTIA     AOL. And just
through HR            (Security+ etc)    never stopped.




                                     Stumbled into some
                                     VXs when I was in
                                     high school and got
                                     interested in
Yes                 SANS/GIAC, CISSP viruses.
                                         Someone gave me
                                         a chance ;) I came
                                         from a Network
                                         technician
                                         background and had
                                         brought that job
                                         level to a
                                         Server/Network
                                         Administration and
                                         was very interested
                                         in Security. I applied
                                         for the position and
                                         talked with my
                                         current boss. He
                                         was happy to see
                                         that I was a go
                      EC-Council (CEH    getter and that I
                      etc), SANS/GIAC,   understood the work
                      CISSP, Offensive   involved in learning
Yes - but only to get Security (PWB,     and figuring things
through HR            AWE etc)           out.
                                         As a risk mitigation
                                         company working in
                                         the more austere
                                         environments, we
                                         recognized a
                                         growing need for IT
                                         security consulting
                                         and forensics to
                                         support
                                         investigations, as
                                         well as the ever-
                                         increasing merger of
                      EC-Council (CEH    physical security
                      etc), SANS/GIAC,   and IT security
                      CompTIA (Security+ needs. So, a little
                      etc), Offensive    different career
                      Security (PWB,     track than many I
Yes                   AWE etc)           suppose.


Yes - but only to get EC-Council (CEH
through HR            etc)
                                          Reading phrack,
                                          coding, and
Yes - but only to get                     breaking example
through HR                                vulns.

Yes - but only to get CISSP, CompTIA
through HR            (Security+ etc)


Yes - but only to get
through HR            SANS/GIAC, CISSP
                                       I've always been
                                       interested in
                                       security, attending
                                       conferences and
                                       playing around in
                                       my free time. I
                                       finally took the
                                       plunge and went
                                       looking for a job in
Yes - but only to get Vendor specific, the security field. So
through HR            SANS/GIAC, CISSP far, so good.




Yes - but only to get
through HR            Vendor specific

                                          Internal transfer
                                          from sys admin and
                                          support, I think
                                          internal transfer via
                                          showing interest my
                                          be the simplest way
                                          to break in to
                                          security. Internally
                                          companies will
                                          understand your
                     Vendor specific,     skills and your local
                     CISSP, CompTIA       knowledge can
                     (Security+ etc),     make up for some
                     Offensive Security   of the skills you
Yes                  (PWB, AWE etc)       lack.
                                       Personal interest on
                                       the technical
                                       background behind
                    SANS/GIAC,         large scale network
                    CompTIA (Security+ attacks. Started with
                    etc), Offensive    network security
                    Security (PWB,     and continued with
Yes                 AWE etc)           system security,




                                         Studying at
Yes                 CISSP                university


                      CompTIA (Security+
Yes                   etc)               Curiousity
                                         Loved computers
                                         started
                                         programming at 12
                                         went to law school
                                         found I still loved
                                         computers mixed
                                         my understanding of
                                         the legal world with
                                         that of computers
                                         and there you have
Yes - but only to get                    it.
through HR            CISSP
                      SANS/GIAC,
                      CISSP, Depends
Yes - but only to get what you're trying to
through HR            accomplish




                        EC-Council (CEH
                        etc), Vendor          IT was boring so I
                        specific,             focused my IT work
                        SANS/GIAC,            on security and it
                        CISSP, Offensive      morphed into new
                        Security (PWB,        types of
Yes                     AWE etc)              assignments.


Yes - but only to get
through HR



                        CISSP, CompTIA
                        (Security+ etc),
                        Offensive Security
Yes                     (PWB, AWE etc)
                                         I got into it because
                                         it's my major in
                                         school but I got my
                                         job by being on
                                         twitter and
                                         networking. Here is
                                         a blog post on how I
                                         did it and my advice
                                         to those that want to
                                         break into this
                                         exciting field. Feel
                                         free to link to it if
                                         you would like.
                                         http://fightinginsecur
                                         ity.wordpress.com/2
                                         011/12/20/what-i-
                                         have-learned-so-far-
                                         on-my-journey-to-
Yes - but only to get                    becoming-a-security-
through HR            CISSP              professional/



                      Vendor specific,
                      SANS/GIAC,
Yes - but only to get CISSP, CompTIA
through HR            (Security+ etc)



Yes - but only to get Vendor specific, System
through HR            SANS/GIAC, CISSP Administration
                                     While working on a
                                     LAN support call at
                                     a university, I
                                     overheard upper
                                     management trying
                                     to figure out what to
                                     do with a subpoena.
                                     I put the caller on
                                     hold, asked three
                                     quick questions
                                     about how delivery
                                     was served, scope,
                                     and whether we in
                                     fact had the logs. I
                                     finished up the call,
                                     and discovered not
                                     only was my director
                                     standing there
                                     waiting for me to go
                                     further, but that I
                                     would get to handle
                                     incident response
                                     from that point
Yes                 SANS/GIAC, CISSP forward.




                                       The same way a lot
                                       of pimply faced
                                       teenagers did back
Yes                   SANS/GIAC, CISSP in the early '90's...
                                       Dont remember.
                                       Started to attend
                                       meetings, cons etc.
                                       Took university
                      EC-Council (CEH  classes. Got hooked
                      etc), Vendor     on security and
Yes - but only to get specific,        someone gave me a
through HR            SANS/GIAC, CISSP job.
      SANS/GIAC,
Yes   CISSP, ISACA BS

                        I started cracking
Yes   CISSP             applications




      CHECK Team
      Leader
      (CREST/Tiger
      Scheme), CHECK    Moved into IT
      Team Member       Security from
      (CREST/Tiger      General IT
Yes   Scheme)           consultancy
                                       I took software
                                       development in
                                       college and spent a
                                       lot of my time
                                       reading about
                                       infosec. I never got
                                       hands on with it in
                                       college though, I
                                       guess course load &
                                       lack of
                                       hardware/software
                                       for a decent lab held
                                       me back a bit.

                                       After I graduated, I
                                       was working a job I
                                       hated, applying to
                                       infosec companies
                                       and getting
                                       nowhere. I ended
                                       up harassing the
                                       CEO of a small
                                       infosec shop with
                                       phone calls, emails
                                       & mailed copies of
                                       my resume. In the
                                       end, I sent him an e-
                                       mail basically saying
                                       "Look, I know that
                                       good people are
                                       hard to find. Let me
Yes - but only to get                  work for free for 10
through HR            CISSP            hrs a week and you




Yes - but only to get
through HR            SANS/GIAC, CISSP During studies


                                     Have always been
                                     interested, knew the
                                     person leaving the
                                     position I wanted
                                     (within the company
                                     I worked), and
                                     asked him to put a
                                     good word in for me.
                                     Had several other
                                     people put in good
                                     words, and I got the
                                     job. It's been going
                                     splendidly since
Yes                 SANS/GIAC, CISSP then.
                         An external audit
                         highlighted the need
                         for a Security
Yes   SANS/GIAC          Officer. "hacking"
                         I thought
                         sounded cool so I
                         started learning
                         about Linux since
                         that seemed to be
                         the platform on
                         which all the cool
                         hacker tools were
                         written for. My first
                         job was scanning
                         slides and creating
                         brochures for a
                         small university
                         dept. I continued to
                         learn and develop
                         skills on the side
                         that they begin to
                         take advantage of.
                         Within about 2-3
                         years, I was
                         responsible for all
                         sysadmin and
                         helpdesk duties for
                         that dept.
                         Everything was
                         Windows in the dept
                         but I continued
                         using Linux,
                         learning about
      SANS/GIAC,         security tools, and
      CISSP, Offensive   responding to
      Security (PWB,     security-related
Yes   AWE etc)           emails on the


                         Our company got an
                         Internet connection,
                         was sold a
                         Sidewinder firewall,
      SANS/GIAC,         and I got assigned
      CISSP, CompTIA     the task of
Yes   (Security+ etc)    managing it
                                           someone was
                                           hacked me when i
                                           was a child! and i
                                           need to revenge not
                                           to hack back but to
                                           learn the defensive
                        SANS/GIAC,         mechanism, and i
                        CISSP, Offensive   can't excel in that if i
                        Security (PWB,     don't know how to
Yes                     AWE etc)           hack.




Yes - but only to get
through HR
                      EC-Council (CEH
Yes - but only to get etc), SANS/GIAC,
through HR            CISSP
                      EC-Council (CEH
                      etc), Vendor
                      specific, CHECK
                      Team Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member
                      (CREST/Tiger
                      Scheme),
                      SANS/GIAC,           By chance, was
                      CISSP, CompTIA       working in
                      (Security+ etc),     networking and got
                      Offensive Security   seconded to
Yes                   (PWB, AWE etc)       FIrewalling and IDS.

                                           Through
                                           wargames/challeng
                                           es like PullThePlug,
                                           Caesum,
Yes - but only to get                      hacker.org,
through HR                                 dievo.org, ...
                                          I was always
                                          interested in
                                          computers during
                                          my time in the Navy.
                                          I kept asking to be
                                          posted to a job
                                          involving
                                          computers. I was
                                          finally appointed as
                                          the head of the
                                          Information Security
                                          organisation where I
Yes - but only to get                     learned about
through HR            CISSP               security on the job.
                      hard question... i
                      clarify why i think
                      certs are useful,
                      they force/ensure
                      the learner acquires
                      general knowledge.
                      The certs
                      themselves arent
                      useful cept to get
                      through HR, but the
                      process of
                      acquisition builds a Being curious and
Yes                   person               wanting to learn
                                           Working at a large
                                           bank I was given an
                                           old HPUX box to
                                           administer, two
                                           years later one of
                                           the internal pen
                      CHECK Team           testers called me
                      Leader               out of the blue and
                      (CREST/Tiger         told me the
                      Scheme), CHECK password and that it
                      Team Member          didn't have a
                      (CREST/Tiger         shadow file. I
                      Scheme),             thought that was a
                      SANS/GIAC,           cool job to just
                      Offensive Security break into stuff all
Yes                   (PWB, AWE etc)       day.


                      SANS/GIAC,
                      CISSP, Offensive
Yes - but only to get Security (PWB,      Out of personal
through HR            AWE etc)            interest
                                        Part time sys admin
Yes - but only to get                   work while an
through HR            SANS/GIAC         undergrad
                                        I was the Director of
                                        our application
                                        development team
                                        and I always had a
                                        strong interest in
                                        InfoSec as I was
                                        involved in
                                        answering the
                                        security
                                        questionnaires as
                                        we did not have an
                                        InfoSec team at that
                                        time. There was a
                                        major change to the
                                        HIPAA (healthcare)
                                        legislation that put
                                        our manufacturing
                                        facilities within
                                        scope of the act.
                                        That prompted the
                                        creation of a
                                        dedicated InfoSec
                                        and compliance
                                        team. We hired a
                                        CISO, I assumed
                                        the director role
                                        under him and we
                                        have now hired a
                                        staff of 6 people
                                        supporting our
                   SANS/GIAC,           initiatives. I have
                   Offensive Security   taken 5 SANS
Yes                (PWB, AWE etc)       courses since then
                             Worked my way up
                             from the ground up.
                             Started taking on IT
                             responsibilities in a
                             small business and
                             gradually got more
                             well-rounded in
                             administration and
                             engineering. I
                             started with cabling
                             and soho
                             networking and
                             ended up being
                             quite adept with
                             large AD
                             deployments,
                             virtualization,
                             exchange, etc.
                             Security was an
      EC-Council (CEH        interest of mine
      etc), Vendor           from the beginning,
      specific,              so everything I did
      SANS/GIAC,             had a security
      CISSP, Offensive       focus. The transition
      Security (PWB,         to penetration
      AWE etc), Some         testing was natural
      are useful practically since I already knew
      (offsec), others are how everything
      to get past HR         worked. People who
      (CISSP has nothing go straight into
      to do with pen         security really sell
      testing, but it helps themselves short. I
Yes   you get noticed)       worked primarily


                       Change of jobs,
                       brought in to launch
                       my expertise (data
                       recovery / digital
      EC-Council (CEH  forensics) within the
      etc), CHECK Team company, have
      Leader           ended up expanding
      (CREST/Tiger     my knowledge to
      Scheme), CHECK start concentrating
      Team Member      more on security,
      (CREST/Tiger     vulnerability
      Scheme),         scanning / ethical
Yes   SANS/GIAC, CISSP hacking.
                                           had always been
                                           interested in it, had
                                           many friends in
                                           various security
                                           roles... they pointed
                                           me towards some
                                           ways to focus my
                                           skills and i
                                           essentially talked
                     SANS/GIAC,            my way onto a
                     Offensive Security    consulting team
Yes                  (PWB, AWE etc)        insidework,
                                           Hard my company..
                                           I spent 90% of my
                                           time to make myself
                                           good before I
                                           worried about
                                           getting a job in that
                                           area. I never asked
                                           for handouts,
                                           training, or anything
                                           outside my hard
                                           work to get here.

                                           Community, (power
                                           in numbers)
                                           One of the largest
                                           things about getting
                                           a job is not always
                                           what you know but
                                           who you know.
                                           There are multiple
                                           studies that show
                                           this to be true.
                                           Attend conferences,
                      EC-Council (CEH      communicate on
                      etc), Vendor         blogs, be in IRC, go
                      specific,            to your local groups,
                      SANS/GIAC,           do stuff to get
                      CISSP, CompTIA       around other people
                      (Security+ etc),     that are like minded
                      Offensive Security   and they will most
                      (PWB, AWE etc),      likely look out for
Yes - but only to get anyone a manager     you to get a job
through HR            may know             when they have one
                     SANS/GIAC,
                     CISSP, Offensive
                     Security (PWB,        Working on Unix
Yes                  AWE etc)              machine in 80'ties
                                           Via tech support into
                                           architecture,
                                           ensuring
                                           compliance to
                                           security policies
                                           From within the
                                           architecture team,
                                           obtained
                                           qualifications and
                                           developed security
                                           architecture
                                           function. The into
                     CISSP, cism, cisa     info sec
Yes                  etc...                managerment.




                                           Developed an (un)
                                           healthy interest in
                                           network security at
                                           university. setup a
                                           local 2600 group,
                                           learned to break
                                           stuff, fix stuff,
                                           worked building the
                                           Internet, then
                                           learned how to
                                           secure it. worked for
                                           some companies,
Yes - but only to get certified experience then decided to
through HR            ;-)                  work for myself.
                                           sysadmin in
                                           computer labs for 3
                                           years, then
                                           sysadmin at isp for
                                           14 years, then
                                           dedicated security
                      SANS/GIAC,           eng at bank for last
Yes - but only to get Offensive Security   few years.
through HR            (PWB, AWE etc)

                                           Started out as a
                                           teenage hacker,
                                           became a sys
                                           admin after uni but
                                           became quickly
                                           disillusioned so did
                                           a masters in
                                           InfoSec and moved
                     CHECK Team            to London. I started
                     Leader                at a VAR as a
                     (CREST/Tiger          security engineer
                     Scheme), CHECK        but covered their
                     Team Member           pen testing as well,
                     (CREST/Tiger          eventually running
Yes                  Scheme)               the team.
                                        Through a
                                        University friend
                      EC-Council (CEH   introducing me to a
Yes - but only to get etc), Vendor      group of IT Security
through HR            specific, CISSP   Professionals.




                                     Transferred to
                                     communications in
                                     the Air Force in
                                     1999. Worked
                                     System
                                     admin/engineer
                                     duties and started
                    EC-Council (CEH  firewall and security
                    etc), SANS/GIAC, duties in 2000 time
Yes                 CISSP, CISA/CISM frame.
                                           Have been hacking
                      CHECK Team           stuff since I first saw
                      Leader               a computer in 1996.
                      (CREST/Tiger         Worked as a
                      Scheme), CHECK       sysadmin/network
                      Team Member          admin for about 8
                      (CREST/Tiger         years before being
                      Scheme),             in the right place at
                      SANS/GIAC,           the right time to fill a
                      CISSP, Offensive     vacant security
Yes - but only to get Security (PWB,       manager position in
through HR            AWE etc)             2007.




                      EC-Council (CEH
Yes - but only to get etc), SANS/GIAC,     https://www.sfs.opm
through HR            CISSP                .gov/
                      CHECK Team
                      Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member
                      (CREST/Tiger
                      Scheme),
                      SANS/GIAC,
Yes - but only to get Offensive Security   By interest during
through HR            (PWB, AWE etc)       my uni times
                                       Military training to
                                       be a programmer,
Yes - but only to get                  then sysadmin, then
through HR            SANS/GIAC, CISSP network admin.
                         My very first
                         exposure to IT
                         security was as a
                         university student in
                         working in
                         operations for the
                         Academic
                         Computing Center
                         back in the dark
                         ages -- 1983. Most
                         people were
                         generalists at that
                         time. Within 3
                         months I was
                         promoted to the
                         help desk and
                         picking up
                         programming,
                         analysis, and sys
                         admin contracts.

                         Today, I would urge
                         students to pursue
                         internships or do
                         volunteer work
                         focused on the
      SANS/GIAC,         latest trends like
      CISSP, CompTIA     SEIM, vulnerability
      (Security+ etc),   testing, and
Yes   CISA, CISM         telecommunications.




      CISSP, Offensive   Making my own
      Security (PWB,     website, and it got
Yes   AWE etc)           hacked.

                         A friend was doing
                         his senior project on
                         Snort and I was
                         helping him out and
                         I came across the
                         PaulDotCom site
                         and that opened my
                         eyes and changed
                         my world and got
                         me interested in
      Vendor specific,   security. This was
Yes   SANS/GIAC          in 2006.
                                           Released some
                                           papers which lead
Yes - but only to get                      to my first job as a
through HR            CISSP                pentester.
                      CHECK Team
                      Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member
                      (CREST/Tiger
                      Scheme),
                      SANS/GIAC,
                      CISSP, Offensive
                      Security (PWB,
Yes                   AWE etc)             A lucky break.




                     EC-Council (CEH
                     etc), Vendor
                     specific,
                     SANS/GIAC,
                     CISSP, CompTIA        Program of study at
                     (Security+ etc),      University that
                     Offensive Security    offered elective
Yes                  (PWB, AWE etc)        options for Security.




                                           In university with
                      SANS/GIAC,           some virus samples
Yes - but only to get Offensive Security   and doing recovery
through HR            (PWB, AWE etc)       HD in my house




                     Offensive Security
Yes                  (PWB, AWE etc)        College
                      SANS/GIAC,           a friend got me
Yes - but only to get Offensive Security   hooked. I blame
through HR            (PWB, AWE etc)       them now.
                                       Always been
                                       interested in it, so I
                                       knew the
                                       vocabulary, and had
                                       some cursory
                                       experience. Made
                                       some friends in the
                                       security group
                                       where I work, and
                                       found out from them
                                       when positions
                                       opened up.
                                       Interviewed, and -
                                       here's the key -
                                       clearly and honestly
                                       represented my
                                       experience (fairly
                                       low) and interest
                                       (innate) and what I
                                       do on my own to
                                       develop it.

                                    I got the job, and my
                                    team had
                                    reasonable
                   Vendor specific, expectations of me
Yes                SANS/GIAC, CISSP from the start.



Yes - but only to get                  Migrated in from
through HR            SANS/GIAC, CISSP Network Admin

                                       Job: I was an
                                       auditor and noticed
                                       something that
                                       didn't look right.
                                       Being a part of the
                                       incident I migrated
                                       to the security team.

                                       General: I was a kid
                                       who was babysat by
                                       a 1200 baud
Yes                CISSP, CRISC        modem.
Yes - but only to get Vendor specific,
through HR            SANS/GIAC, CISSP




                                         I started researching
                                         security, hacking,
                                         pen testing, etc.
                                         during college
                    CISSP, Offensive     because I thought it
                    Security (PWB,       was extremely
Yes                 AWE etc)             interesting.




                                         i don't work in it yet.
                                         but, as a hobby...i
                                         stumbled across a
                                         hacker message
                                         board a few years
                                         ago, someone there
                                         convinced me to
                                         give linux a try,
                                         which led to me
                                         getting back into
                                         programming, then
                      SANS/GIAC,         starting to learn
                      CISSP, Offensive   networking, then
Yes - but only to get Security (PWB,     starting to learn
through HR            AWE etc)           security.
                         I was always
                         involved in IT, but a
                         DoD Red Teaming
                         assignment while on
      SANS/GIAC,         active duty in the
      CISSP, Offensive   US Army forced me
      Security (PWB,     into the security
Yes   AWE etc)           field.



                         I was given the
                         chance to do
                         incident response
                         and got addicted to
                         it. After that I moved
                         on to having to
                         administer the
                         devices IR team
                         used, then went into
                         security planning,
                         back to IR as a
      CISSP, Offensive   leader, and then on
      Security (PWB,     to pentesting and
Yes   AWE etc)           finally red teaming
                      Vendor specific,
                      SANS/GIAC,
                      CISSP, Offensive
Yes - but only to get Security (PWB,     Police Cybercrime
through HR            AWE etc)           investigator
                           I was persistent.

                           I had 0 idea what I
                           was doing but
                           showed up at
                           Summerc0n 2003
                           with the intent on
                           learning.

                           I would try to read
                           things and keep up
                           on industry goings
                           on. Build a Lab and
                           mess around with
                           stuff.

                           When the company
                           I worked for created
                           a dedicated security
                           practice myself and
                           3 others were added
                           to the team. I shifted
                           focus into
                           virtualization and
                           storage for a bit,
      Vendor specific,     but, I'm trying to
      Offensive Security   bring my focus back
Yes   (PWB, AWE etc)       to security.
                                           Creating my own
                                           path, people in
                                           Costa Rica think,
                                           nothing bad will
                                           happen to them,
                                           and only financial
                                           institutions take
                                           security into
                                           account, in part
                                           because of
                                           international
                                           regulations like PCI
                                           and in part because
                                           they don't want to
                                           pay fines when their
                                           customers money
                                           has been gone from
                                           their accounts.

                                           It's been very hard
                                           because people
                                           don't want to invest
                                           in security, they
                                           don't think a
                      EC-Council (CEH      vulnerability
                      etc), Vendor         assessment or a
                      specific, CISSP,     penetration test give
Yes - but only to get Offensive Security   them any value to
through HR            (PWB, AWE etc)       their business.




                                       Playing other games
                                       on the network in
                                       first grade than what
                                       I should have been
                                       got me in trouble
Yes - but only to get Vendor specific, and I have been
through HR            SANS/GIAC, CISSP hooked ever since.
                      EC-Council (CEH
                      etc), CISSP,         With a passion for
Yes - but only to get Offensive Security   computers and tech
through HR            (PWB, AWE etc)       at a young age.


                                           Working as a
                                           firewall and network
                                           admin and started to
                                           focus on security
                                           controls. Then I
                                           started a Master
                                           program with a
                                           focus in Info Sec
                                           from Capella
                                           university. Then
                      Vendor specific,     things just snow
                      SANS/GIAC,           balled from
                      CISSP, CompTIA       there...Sec+,
                      (Security+ etc),     CISSP, CCSP,
                      Offensive Security   SANS, and etc.
Yes                   (PWB, AWE etc)
                      SANS/GIAC,
                      CISSP, Offensive     Managing firewalls.
Yes - but only to get Security (PWB,       Was phreaker as
through HR            AWE etc)             kids (1990s)
Yes - but only to get
through HR            SANS/GIAC

                                       learned it on my
                                       own, books and the
                                       web, then started
                                       taking certs, then
                                       started asking for
                                       security work, then
                                       was given chances
                                       once I demonstrated
                     SANS/GIAC,        the effort and
Yes                  CISSP, CISA, CISM sincerity.




                      SANS/GIAC,
                      CISSP, Offensive
Yes - but only to get Security (PWB,
through HR            AWE etc)             Through the Military
                      CHECK Team
                      Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member
                      (CREST/Tiger
                      Scheme),             Was a programmer,
                      SANS/GIAC,           applied for a job at a
                      CISSP, Offensive     University, joining
Yes - but only to get Security (PWB,       their IT Security
through HR            AWE etc)             Team



                                           I heard an interview
                      SANS/GIAC,           when I was younger
                      CISSP, CompTIA       with Kevin Mitnic. I
                      (Security+ etc),     bought his book and
Yes - but only to get Offensive Security   really responded
through HR            (PWB, AWE etc)       with pen testing.

                                       A standard tech
                                       support position that
                                       included defending
                                       against phreakers,
                                       then onto telecoms
                                       security defence
                                       and then
                                       networks/computers
                                       . Essentially, I
                                       realized I had
                                       security abilities and
                                       enjoyed that portion
                                       of the job.
                                       Recognition and
                                       hard work allowed
                                       me to focus my
                                       career out of
                                       technical
                                       support/design into
Yes - but only to get                  a pure security
through HR            SANS/GIAC, CISSP environment.




                                           Got hacked, thought
Yes                  SANS/GIAC             this was interesting.
                      Vendor specific,
                      SANS/GIAC,
                      CISSP, Offensive     Technical Support
Yes - but only to get Security (PWB,       for Network
through HR            AWE etc)             Firewalls
                      EC-Council (CEH
                      etc), Vendor
                      specific, CHECK
                      Team Leader
                      (CREST/Tiger
                      Scheme), CHECK       Initially through
                      Team Member          being a network
                      (CREST/Tiger         administrator and
                      Scheme),             systems
                      SANS/GIAC,           administrator
                      CISSP, CompTIA       followed by VoIP
                      (Security+ etc),     R&D. Now I work
                      Offensive Security   100% in security as
                      (PWB, AWE etc),      my day job and
                      Network Certs,       about 25% for side
                      Linux/UNIX Certs,    work and tech
Yes                   Etc.                 hobbyist.




                                           Windows sysadmin
                                           moved to incident
                                           response cause
                                           they didn't have any
                                           windows expertise
Yes                  SANS/GIAC             at the time.
                    EC-Council (CEH
                    etc), Vendor
                    specific, CHECK
                    Team Leader
                    (CREST/Tiger
                    Scheme), CHECK
                    Team Member
                    (CREST/Tiger
                    Scheme),
                    SANS/GIAC,
                    CISSP, CompTIA
                    (Security+ etc),
                    Offensive Security
                    (PWB, AWE etc),
                    Some certs are
                    better for
                    knowledge, while
                    some are better for   Through tenacity
Yes                 HR                    and good mentors.


                                          A security position
                                          opened up at the
                                          company I was
                                          working at. I was a
                                          unix/Linux admin for
                                          15 years but ready
                                          for a change. I
                                          have always had an
                                          interest in security -
                                          it was always part of
                      SANS/GIAC,          a sys admins job
                      CISSP, Offensive    responsibility, so the
Yes - but only to get Security (PWB,      move into security
through HR            AWE etc)            made sense
                                          I was originally a
                                          mainframe
                                          programmer who
                                          was later bumped
                                          into a network
                                          admin position.
                                          Which then in starte
                                          taking sans
                      Vendor specific,    courses to defend
                      SANS/GIAC,          the network which
                      CISSP, Offensive    let to another job
Yes - but only to get Security (PWB,      change into
through HR            AWE etc)            security.
                      SANS/GIAC,
                      CompTIA (Security+
                      etc), Offensive    I started as sys-
                      Security (PWB,     admin then went
Yes                   AWE etc)           from there !
                                         Stumbled across
No                                       security catalyst site

                                         Worked as a
                                         unix/linux
                                         administrator for 15
                                         years. Always had
                                         an interest in
                                         security and it used
                                         to be part of an
                                         administrators job
                                         function. A security
                      SANS/GIAC,         role opened up at
                      CISSP, Offensive   my company at the
Yes - but only to get Security (PWB,     time I was ready for
through HR            AWE etc)           a change.




                                     When Networking
                                     and Security had to
Yes                 SANS/GIAC, CISSP be segregated.




                                         I had an interesting
                    SANS/GIAC,           job offer when I was
Yes                 CISSP, OSSTMM        looking to move on.
                        EC-Council (CEH
                        etc), SANS/GIAC,
                        Offensive Security
Yes                     (PWB, AWE etc)       Military assignment


                      EC-Council (CEH
Yes - but only to get etc), SANS/GIAC,
through HR            CISSP                  Military
                                             I'm still working on
                                             my master thesis,
                                             but security has
Yes - but only to get                        always been an
through HR                                   interest to me

                                             Curiosity when I first
                                             purchased my N900
                                             phone, I started with
                                             simple WEP
                                             cracking and then
                                             moved onto MiTM
                                             attacks, I consider
                                             myself a mediocre
                                             at this stage but Im
Yes - but only to get Offensive Security     willing to learn more
through HR            (PWB, AWE etc)         in the future.
                            I was in network
                            administration for 7
                            years when I began
                            to get very
                            interested in
                            security. I took a
                            course from John
                            Strand at the
                            University of Denver
                            and that's when I
                            really got obsessed.
                            I did have a problem
                            though, I was going
                            to have to convince
                            an interviewer that I
                            knew what I was
                            talking about to get
                            into security. This
                            interview didnt come
                            for 5 years. I got a
                            MS in Info Sec and
                            began on the
                            certification route.
                            OSCP, OSCE and
                            then CISSP. I did it
      SANS/GIAC,            this way because I
      CISSP, Offensive      knew with the
      Security (PWB,        offensive security
      AWE etc), * my        stuff I would learn a
      CISSP. Only to get    ton but I also knew
      through HR. I think   that no one would
      it's worthless        hire me, only
Yes   otherwise.            because HR people



                            I was the only
      Vendor specific,      computer type on a
      SANS/GIAC,            classified program
      CISSP, Offensive      that needed to use
      Security (PWB,        computers (a long
Yes   AWE etc)              time ago).
                         I sort of evolved into
                         the position. It just
                         seemed the more
                         time I spent around
                         computers the i
                         became the "go to"
                         person for technical
                         assistance.
                         Eventually I started
                         working at a
                         Helpdesk which
                         gave me greater
                         exposure to all of
                         the things that were
                         happening on the
                         network. I
                         eventually took the
                         Information
                         Assurance \
                         Information Security
                         position because
                         nobody else wanted
                         it. I thought I might
                         be good at it. I've
                         been in that position
                         for approx 3 years
                         and it still remains to
                         be seen if I am good
                         at it. The bigest
      Vendor specific,   thing I have learned
      SANS/GIAC,         is pushing patches
      CISSP, CompTIA     is much harder then
Yes   (Security+ etc)    I thought.
                                       I started as a Unix
                                       admin. Security
                                       issues caught my
                                       attention (they
                                       always had since
                                       well, well before I
                                       was ever paid to put
                                       hands to keyboard).
                                       I'd talk security and
                                       bring up issues as
                                       well as alert co-
                                       workers of things we
                                       might need to do.
                                       Pretty soon, I was
                                       considered the
                                       subject matter
                                       expert for my
                                       contract and being
                                       sent to represent at
                                       security meetings.
                                       Within the year, I
                                       was no longer an
Yes - but only to get                  admin and I was
through HR            SANS/GIAC, CISSP 100% infosec.
                                         I been doing general
                                         Workstation /
                                         Windows Server /
                                         Unix Server support
                                         for 20 years,
                                         watching other
                                         people specialise in
                                         SQL/Web
                                         Programming/Projec
                                         t Management and
                                         moving up the
                                         salary tree. Seeing
                                         that no one values a
                                         good skills of
                                         running a live
                                         environment, I
                                         decided to move
                                         into Security, which
                                         I have always had a
                                         passion for by
                                         keeping live
                                         production systems
                                         safe.

                                         While doing my
                                         general support
                                         roles I got involved
                                         with lots of project
                                         putting in new
                                         systems but always
                      SANS/GIAC,         got over ruled when
Yes - but only to get CISSP, CompTIA     I brought up security
through HR            (Security+ etc)    as it would put a




                                         Military assigned me
                                         to a vulnerability
                                         assessment job
                                         because I was an
                                         engineer and had
                    Offensive Security   some (limited)
Yes                 (PWB, AWE etc)       computer abilities
                         As a job I started
                         out as a helpdesk
                         /sys admin.
                         Always having an
                         interest in security I
                         used to just sit at
                         home, read
                         websites, blogs,
                         twitter, etc. Then
                         downloading and
                         testing tools, and
                         basically trying
                         things at home.

                         I became more of a
                         networking guy, but
                         kept on track with
                         my whish to do
                         some actual security
                         work by doing the
                         Cisco security track
                         (CCSP).

                         Since I wanted to be
                         an ethical hacker I
                         kept doing my
                         personal research
                         and eventually
                         applied for a job as
      SANS/GIAC,         a penetration tester.
      CISSP, Offensive   I now do a couple of
      Security (PWB,     penetration tests a
Yes   AWE etc)           year and am doing




                         I was working 3-6
                         month contracts
                         after company went
      SANS/GIAC,         out of business and
      CISSP, Offensive   was hired at a CIRC
      Security (PWB,     startup as an IDS
Yes   AWE etc)           analyst.
                       I applied for and
                       was hired as a
                       Junior Level
                       Security
                       Administrator. I
      EC-Council (CEH  believe that I got
      etc), Vendor     into the door based
      specific,        on my security and
Yes   SANS/GIAC, CISSP OS certifications.
                       I started in the IT
                       field over 30 years
                       ago as a
                       programmer then
                       systems analyst and
                       worked as a
                       administrator for
                       networks,
                       mainframes then
                       UNIX systems. It
                       was while I was a
                       UNIX administrator
                       that I started testing
                       firewalls when they
                       first came out even
                       built one using the
                       firewall toolkit. I
                       then started
                       securing some of
                       the vulnerable
                       processes I saw and
                       started writing
                       policies and
                       standards around
                       those processes. I
                       later got into
                       Security Consulting
                       then moved on the
                       build and manage a
                       security department
      SANS/GIAC,       for a company
      CISSP,           overseeing the
Yes   CISA/ISACA       writing of all of the
                                         I have always
                                         enjoyed breaking
                                         and fixing things. My
                                         start was the
                                         summer I got mono
                                         and stayed on the
                      The ones that show computer the whole
                      your dedication.   time. Professionally
                      Certs dont show    my start was in the
Yes                   ability.           military.
                                         It was an interest
                                         and I started by
                                         researching on my
                                         own, then attending
                                         local 2600
                                         meetings, then
                                         DefCon. Jobs
                                         followed. Now been
Yes - but only to get                    about 20 yrs in the
through HR            SANS/GIAC, CISSP industry.

                                         I was introduced to
                                         the 'Google Hack'
                                         and TJX hack by my
                                         professor. Through
                                         further research, I
                                         was amazed with
                                         the abilities that a
                                         person/group can
                                         perform with a
                                         computer. In the
                                         meantime, I was
                                         quite shocked to
                                         learn how
                                         vulnerable I was by
                                         accessing the
                                         Internet. From
                                         there, I fell in love
                                         with the field and
                    SANS/GIAC,           hope to obtain a
                    Offensive Security   career in InfoSec
Yes                 (PWB, AWE etc)       when I graduate.
                     Vendor specific,
                     CompTIA (Security+    Reading and watch
                     etc), Offensive       videos, working with
                     Security (PWB,        contracted
Yes                  AWE etc)              pentesters.



Yes - but only to get Offensive Security
through HR            (PWB, AWE etc)       an internship

                                           Started as a
                                           network engineer
                                           and after some time
                                           I was assigned to
                                           migrate to the new
                                           firewall. Moved on
                                           to a security
                                           consultant where I
                                           continued fw
                                           administrator,
                      Vendor specific,     wireless security
                      CISSP, Offensive     and then got
Yes - but only to get Security (PWB,       invloved in
through HR            AWE etc)             pentesting.


                                      be strong in
                                      networks and
                                      sysadmin tasks,
                                      while learning
                                      programming in
                                      college. Work hard
                                      in all areas to
                                      improve, and start
                                      on the network
                                      penetration testing
                                      side of things. Then
                                      gradually improve at
                                      applicaiton security,
                                      source auditing,
                                      reverse engineering,
No                   SANS/GIAC, CISSP exploitation.
                      EC-Council (CEH
                      etc), Vendor
                      specific, CHECK
                      Team Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member
                      (CREST/Tiger
                      Scheme),
                      SANS/GIAC,
                      CISSP, CompTIA
                      (Security+ etc),     Studying Ethical
Yes - but only to get Offensive Security   Hacking at
through HR            (PWB, AWE etc)       university




                                           graduate from MEng
                                           in security and
                                           found a job i love,
                                           got a lot support
                     EC-Council (CEH       from my boss and
Yes                  etc), CISSP           colleagues.
                                           BBS badness
                                           followed by pen test
                                           companies (after
                                           breaking my
                     CHECK Team            university network
                     Leader                and then telling
                     (CREST/Tiger          them how I did it
No                   Scheme)               repeatedly)

                     EC-Council (CEH       Actually when I
                     etc), SANS/GIAC,      started to plan to be
                     CompTIA (Security+    certified from
Yes                  etc)                  Microsoft on 2003
                         totally by chance. I
                         interviewed with a
                         security company,
                         kind of "fudged" my
                         way in, then learned
                         everything as
      CHECK Team         quickly and
      Leader             thoroughly as
      (CREST/Tiger       possible. Once I had
      Scheme), CHECK the basics of VA
      Team Member        down, I started
      (CREST/Tiger       dabbling in pen
      Scheme), CISSP,    testing here and
      CompTIA (Security+ there as any
      etc), Offensive    additional learning
      Security (PWB,     was encouraged by
Yes   AWE etc)           my company.
                         I was a QA engineer
                         a decade ago, since
                         then I've done
                         programming and
                         even sales. I was
                         hired as a
                         programmer for my
                         current company,
                         and noticed they
                         had no one on
                         security. I
                         downloaded
                         BackTrack and
                         started scanning.
                         The sys admins had
                         a fit because
                         someone was
                         scanning internally.
      EC-Council (CEH    A week later they
      etc), CISSP,       liked my initiative
      Offensive Security and asked if I'd be
Yes   (PWB, AWE etc)     the security guy.
                                           Our "EDP Security
                                           Officer" quit, and my
                                           boss asked me if I
                                           wanted to take over
                                           physical security,
                                           EDP/info security,
                                           preparedness/contin
                                           uity mgmt and fisk
                                           financing/insurance.
                                           Quite a package,
                                           but logically sound -
                                           and unusual for
                                           those days (ca
Yes - but only to get                      1990). I accepted, of
through HR            CISSP, ECIS          course.




                                           Went from break/fix
                                           IT and SysAdmin-
                                           ing into IT Auditing.
                                           Customers started
                                           asking for
                                           vulnerability
                                           assessments and
                                           pen-tests.
                                           Bootstrapped myself
                                           into network security
                      CISSP, CompTIA       through these
Yes                   (Security+ etc)      engagements.
                      CompTIA (Security+
                      etc), Offensive
Yes - but only to get Security (PWB,
through HR            AWE etc)
                                             Always been
                                             fascinatted by
                                             computers, and by
                                             computer security.
                                             So began
Yes - but only to get                        researching as a
through HR                                   hobby.



                                             Well saw the movie
                                             Hackers back in '02
                                             and thought I wanna
                                             do that. So I started
                                             carrying around a
                                             flash drive with a
                                             trojan on it going.
                                             "I'm gonna hack
                                             you. LOLOLOLOL" I
                                             eventually realised I
                                             was just being a big
                                             douche and so I sat
                                             down read through
                                             a few books,
                                             watched some of
                                             the Hak5 podcasts
                                             and visited some
                                             forums. Where I
                                             figured out that had
                                             a major love for
                                             Networking and
                                             anything Networking
                        Vendor specific,     related. And since
                        SANS/GIAC,           then I've spent my
                        CISSP, CompTIA       time learning so that
                        (Security+ etc),     I may one day
                        Offensive Security   hopefully get a job
Yes                     (PWB, AWE etc)       as a Net-Admin.


                        Vendor specific,
                        CHECK Team
                        Member               Malware analysis,
                        (CREST/Tiger         worm outbreaks,
                        Scheme),             and incident
Yes                     SANS/GIAC, CISSP     response
                                             I am barely starting
                                             out and I am trying
                        EC-Council (CEH      to learn the CEH but
                        etc), Offensive      I am wondering if
                        Security (PWB,       this is the route I
Yes                     AWE etc)             should take
Yes - but only to get CISSP, CompTIA     Hak5 -> 2600 ->
through HR            (Security+ etc)    HOPE




                                         Curiosity, how the
                                         heck do I break into
                    Offensive Security   it? The rest is
Yes                 (PWB, AWE etc)       history...




Yes                 Vendor specific




                    SANS/GIAC,
                    CISSP, Offensive
                    Security (PWB,
Yes                 AWE etc)
                                       I worked for a small
                                       company that didn't
                                       have anybody focus
                                       strictly on security.
                                       Team did the best
                                       they could be it
                                       wasn't considered a
                                       priority. Anyway,
                                       every time i would
                                       have a meeting with
                                       my IT Director, i
                                       would always
                                       mention the security
                                       projects I was
                                       working on at home,
                                       such as building a
                                       snort or UTM
                                       PFsense system for
                                       my home network.
                                       Basically, I tried to
                                       plant the birdie in
                                       his ear that security
                                       was a passion of
                                       mine and it was
                                       something we
                                       should consider
                                       here. He finally
                                       caved in when the
                                       internal network was
                   SANS/GIAC,          a victim of malware
                   CISSP, Offensive    issue causing an
                   Security (PWB,      ARP DoS. He
Yes                AWE etc)            turned to me and




                                       As a teenager
                                       playing MMO's,
                                       ironically enough.

                                       Formally in the US
                                       Navy as a CTN, and
                                       mostly self taught.
                                       Attended a bunch of
                                       SANS conferences
                                       early on and also
Yes - but only to get Vendor specific, through my podcast,
through HR            SANS/GIAC, CISSP SecuraBit.
                           I think I may have
                           been inherently
                           interested in
                           security. At my first
                           IT job, a local
                           computer shop, they
                           needed somebody
                           to set up a PIX
                           firewall. I had done
                           some firewall setup
                           with a freebsd box I
                           had, so I
                           volunteered. After I
                           set up that, I got
                           asked to support
                           another one, which
                           led to a few more.

                           I had several jobs
                           where maintenance
                           of some security
                           devices, but had a
                           diverse background
                           of Mac support,
                           Windows support,
                           various flavors of
                           Unix admin, ISP net
                           admin, and some
                           development.
                           When I got to my
      EC-Council (CEH      current security job,
      etc), SANS/GIAC,     I got the job not
Yes   CISSP                because I had
      CHECK Team
      Leader               Managed to get a
      (CREST/Tiger         job in technical
      Scheme), Offensive   support for a
      Security (PWB,       company providing
Yes   AWE etc)             IT security products.



                           Reading books,
                           websites, following
No                         blogs etc.




      EC-Council (CEH
      etc), SANS/GIAC,     As a sysadmin for
Yes   CISSP                an ISP
                                           Moved from a sys-
Yes - but only to get EC-Council (CEH      admin position into
through HR            etc)                 a security role.
                      CHECK Team
                      Leader
                      (CREST/Tiger         Did a Foundation
                      Scheme), CISSP,      Degree in Computer
                      CompTIA (Security+   forensics
Yes                   etc)

                    EC-Council (CEH
                    etc), CHECK Team       I was doing
                    Leader                 competitive
                    (CREST/Tiger           intelligence on
                    Scheme), CHECK         digital sending
                    Team Member            features in MFP's
                    (CREST/Tiger           and I believed that it
                    Scheme),               was as important to
                    SANS/GIAC,             understand the
                    CISSP, CompTIA         security aspect as it
                    (Security+ etc),       was to understand
                    Offensive Security     the digital sending
Yes                 (PWB, AWE etc)         aspect.
                        SANS/GIAC,
                        CISSP, Offensive
                        Security (PWB,
                        AWE etc), Cisco
                        (but not much other My employer got
Yes                     vendor specific)    hacked.

                                           started in 2nd/3rd
                                           line support. Always
                                           had an interest in
                                           security at home.
                                           Spent a couple of
                                           years making
                                           security
                                           recommendations
                                           as part of my
                                           monthly 1 to 1
                                           feedback.
                                           Eventually they
                                           created a (trainee)
                                           security post, it was
                                           the first dedicated
                                           security post in the
                                           company.

                                           The company
                        EC-Council (CEH    developed me from
Yes                     etc), CISSP        there.




Yes - but only to get Vendor specific,
through HR            SANS/GIAC, CISSP a summer job




                                           Learning assembly
Yes - but only to get                      made me dig
through HR                                 deeper.
                                           1. Unknown to me, I
                                           was "hacking" at
                                           BBSs in the mid
                                           90s. Then, worked
                                           for Hosting
                                           Providers for years
                                           where dealing with
                                           hacks happened all
                                           the time.

                                           Didn't really think of
                                           it as a full time job
                                           until I joined a bank
                                           as a SecureID
                                           admin, then moved
                                           into Investigations
                      EC-Council (CEH      and IR - been doing
Yes                   etc), SANS/GIAC      it ever since.
                      CHECK Team
                      Leader
                      (CREST/Tiger         interested while in
                      Scheme), CHECK       university in 2008
                      Team Member          and set on security
                      (CREST/Tiger         books virtual labs
                      Scheme),             and videos to learn
                      SANS/GIAC,           currently working for
Yes - but only to get Offensive Security   a computer security
through HR            (PWB, AWE etc)       firm
                      CHECK Team
                      Leader
                      (CREST/Tiger
                      Scheme), CHECK
                      Team Member
                      (CREST/Tiger
                      Scheme), Offensive
                      Security (PWB,       Currently studying
Yes                   AWE etc)             at university.
                           I have had an
                           interest in security
                           since high school
                           starting with the
                           BBS scene. Even
                           got chances to go to
                           some early security
                           conventions like
                           Summercon and
                           HoHoCon and met
                           some interesting
                           people (Emmanuel
                           Goldstein, Captain
                           Crunch, etc.)

                           From a career
                           standpoint started
                           working in system
                           administration in
                           roles at smaller
                           companies that
                           included security.
                           With the experience
                           managing firewalls,
                           IDS, etc and these
                           smaller companies I
                           was able to get a
                           job as a security
                           analyst, and moved
      SANS/GIAC,           up from there. I'd
      CISSP, Offensive     say starting with
      Security (PWB,       system and network
Yes   AWE etc)             administration not

                           Started in IT as an
                           intern, moved up to
                           be a SysAdmin for a
                           while and then was
                           lucky enough to be
                           working for a
                           company that was
                           creating a security
                           team and opened
                           new positions.
                           Previously, because
                           the company didn't
                           have a security
                           team, the Sys
                           Admin team was
                           also responsible for
      SANS/GIAC,           security so I had
      Offensive Security   "some" experience
Yes   (PWB, AWE etc)       from there.
      EC-Council (CEH
      etc), Vendor
      specific, CHECK
      Team Leader        Working in a
      (CREST/Tiger       department that
      Scheme), CHECK     provided secure
      Team Member        solutions to
      (CREST/Tiger       Government
      Scheme),           departments, and
      SANS/GIAC,         moved into network
Yes   CISSP, IISP        security

      Vendor specific,
      CHECK Team
      Member
      (CREST/Tiger
      Scheme),
Yes   SANS/GIAC, CISSP from networks




                         Enrolled on an
                         Ethical Hacking
No    CISSP              Degree in Scotland




      SANS/GIAC,         Independant
      CISSP, Offensive   consulting; SOHO
      Security (PWB,     engagements and
Yes   AWE etc)           found vacuum.
                         It grew over time. I
                         started as a field
                         tech and
                         volunteered for any
                         and all security
                         related tasks. I also
                         spent (and still
                         spend) 10-20 hrs
                         per week tinkering
                         on the side.
                         Eventually I had
                         enough experience
                         that I felt confident
                         enough to highlight
                         it on my CV and
                         apply for security
      SANS/GIAC,         centric jobs. I
      CISSP, Offensive   eventually landed a
      Security (PWB,     gig as security
Yes   AWE etc)           consultant.
                                                                                          What one piece
                                                                                         advice would you
                                                                                         give to someone
                                                                                         wanting to start a
    What do you know now that you wish you'd known when starting out?                   career in security?


                                                                                        Read - constantly
                                                                                        Be willing to peer
                                                                                        over someone
                                                                                        shoulder
                                                                                        Ask lots of
                                                                                        questions
                                                                                        Break things but
                                                                                        then learn how to fix
                                                                                        them (even if its
                                                                                        during production
Politics will always play a part                                                        hours)
You will become the most hated dept in the building
Change control know nothing and will fuck up your working life                          (yes, thats 4)




Not been doing this long enough to really say, but I'm coming to the realisation that
it's all to easy to become reliant on tools rather than techniques.




How to deal with management in implementation of security measures.                     read, learn ...
                                                                                        Get things on your
                                                                                        resume that show
                                                                                        you have some
                                                                                        understanding of the
                                                                                        field.

                                                                                    In my industry
                                                                                    (defense), the
                                                                                    pendulum is
                                                                                    swinging from
Probably taken less time in college curriculum focusing on "security" courses. Most college degrees to
is learned on the job.                                                              certifications.




                                                                                        Read, I have so
                                                                                        many damn
                                                                                        bookmarks chock
uh, alot.                                                                               full of information.
                                                                                         It's all about
                                                                                         reputation. Certs are
                                                                                         useful, but if you are
                                                                                         unknown you won't
                                                                                         be taken seriously.
Be silent more often. If you don't know what you are talking about, or only know a       Get out there, meet
little bit, and purport to be an expert, you will be taken to task. Listen more, speak   people, and learn
less.                                                                                    from them!




                                                                                         Make sure its
                                                                                         something you
                                                                                         really want and can
                                                                                         keep up with, not
I still consider myself starting out and still have much id like to know. I guess the    just something you
big one for me is that sec folks love twitter and its a good place to float ideas.       enjoy on the side.


                                                                                         hands on
Certifications are important                                                             experience is helpful
                                                                                 I've always liked
                                                                                 Offensive Security's
                                                                                 mantra of "Try
                                                                                 harder". It's usually
                                                                                 after the point where
                                                                                 you are about to
                                                                                 give up that you find
                                                                                 the answer you
Research before asking questions, it's probably out there.                       were looking for.




People skills! When I started out I was using some social engineer tricks, but   Be creative and
didin't even know that I was doing that. Learn how to exploit people.            think out of the box.
                                                                                    Work on your "How
When I started I thought I knew about security pretty well                          to convince others"
Now I feel less knowledgeable then when I started                                   skills




                                                                                    Don't just learn
                                                                                    security, go in deep
                                                                                    and you have a
                                                                                    definite technical
Most pen-testers are glorified script kids, don't take their input too seriously.   edge.




                                                                                    Set a lab
                                                                                    environment up to
                                                                                    practice with,
Rest of the world doesn't like security, so give it a go.                           virtualisation makes
                                                                                    these easy these
Yes, it looks cool and complicated, but stick at it and you will 'get' it.          days.
                                                                                      Do something
                                                                                      nobody else has
                                                                                      done before. There
                                                                                      are a million and a
                                                                                      half "penetration
                                                                                      testers" and
                                                                                      wannabes out there
                                                                                      running Nessus and
                                                                                      Nexpose and
                                                                                      clicking "Exploit" in
                                                                                      MSF Pro/Core
                                                                                      Impact/Whatever.
                                                                                      Find something that
                                                                                      interests you, then
                                                                                      analyze the security
                                                                                      angle. Security is
                                                                                      not a "thing" in itself,
                                                                                      it always supports
                                                                                      some business
                                                                                      process. If you can't
If you do 5 minutes of research before asking a question, you'll either ask a better figure out what the
question or figure out the answer yourself.                                           business process is,
                                                                                      or what the value is
Your heroes are real people, and are usually very approachable. If someone treats for society, then
you like dirt, first ask, "Am I being inconsiderate or rude? Did I forget to do the 5 pick something else,
minutes of research first?" If the answer is no, then that person is probably not     because you're not
worth your time.                                                                      helping.


                                                                                        Anyone who claims
                                                                                        their class will make
                                                                                        you an expert is a
                                                                                        fraud. The industry
                                                                                        is also full of frauds
                                                                                        and hubris. Do your
                                                                                        research and trust
                                                                                        your nose to avoid
                                                                                        those types of
                                                                                        people. People like
                                                                                        the guy in this video
                                                                                        (http://www.xtranor
                                                                                        mal.com/watch/129
                                                                                        84422/dont-you-
                                                                                        know-who-i-am) and
                                                                                        their warez should
I wish that I knew that I would need a functional understanding of programming to       be avoided at all
be a penetration tester. I was a terrible tester with my limited ability to script.     costs.
                                                                  Pick a field you
                                                                  have a passion for,
                                                                  and learn that area
                                                                  in more depth than
I wish I had started coding earlier, to help me advance faster.   your peers.

                                                                  Be prepared to
                                                                  never stop learning,
                                                                  to never know
                                                                  everything and to
                                                                  never be able to call
To be patient. The art of debugging.                              your self an expert.




                                                                  Get into the mind
                                                                  set or get the fuck
                                                                  out.
                                                                  Srsly, think outside
                                                                  the box, be
                                                                  motivvated to do so
Cons are bad for your liver                                       and u will succeed
                                                                                       Start early. Read as
                                                                                       may books on
                                                                                       infosec as you can
                                                                                       and make sure you
                                                                                       have a play with the
                                                                                       tools you are
It is much easier to get in at an early point in your career where you can get         learning about in
experience as an intern/junior that try and transition from a "regular" IT position.   your own lab.




                                                                                       Go create your own
                                                                                       lab and start
                                                                                       breaking shit and
That writing reports is a pain in the ass.                                             fixing it afterwards.
                                                                                        Read everything,
                                                                                        watch videos
                                                                                        (Security Tube,
                                                                                        Hak5, etc), listen to
I wish I had the opportunity to start out in InfoSec rather than being forced to put 6- podcasts, get on
7 years in traditional IT. I do think that working in IT Ops is invaluable and          Twitter, and go to as
contributes to any success as an InfoSec consultant however 2-3 years would             many cons as you
have been plenty. I also would have started attending Cons much sooner.                 can afford.


                                                                                       Study hard, do the
                                                                                       labs and exercises,
                                                                                       experiment with
No amount of certification can replace experience                                      tools.




                                                                                       Learn
                                                                                       programming/scripti
                                                                                       ng if you want to
How valuable programming/scripting experience could be                                 excel




IA work has a lot of paperwork and politics.                                           Never stop learning.
Be passionate, and
never give up.
There will be times
when you'll hit a
road block. Put
your head down,
and keep pushing
until you overcome
it. These are
opportunities to
grow you. At the
time you won't see it
this way. You will
be frustrated, but it's
the ones that can
overcome these
challenges that
stand out.
                                                                                     Dont chance it and
                                                                                     exploit your way in,
                                                                                     too risky. Get
                                                                                     involved online if
                                                                                     you can,
                                                                                     cyberchallenge etc.
                                                                                     run good online
                                                                                     comps with
                                                                                     certificates that can
                                                                                     look good to an
                                                                                     employer. If in
                                                                                     employment already
                                                                                     is there scope in
                                                                                     your current
                                                                                     organisation? If so
                                                                                     don't be afraid to go
                                                                                     for it, it is supposing
                                                                                     how little knowledge
                                                                                     you may have can
                                                                                     be incredibly
                                                                                     valuable and if you
                                                                                     understand the
                                                                                     basic risks could
                                                                                     well be head and
                                                                                     shoulders above the
                                                                                     staff that are
There's a whole worold of work out there, public naively is all that stands in the   currently tasked with
way.                                                                                 Security duties.
                                                                                         Information security
                                                                                         is not nearly as sexy
                                                                                         as you think; not
                                                                                         that it can't be at
                                                                                         times. I spend way
                                                                                         more time writing
                                                                                         policies and staring
                                                                                         at logs than I do
                                                                                         popping boxes.

                                                                                         Information security
                                                                                         is quickly evolving;
Network. I'm an introvert, and this has never come naturally. However, information what makes it fun
security is a relatively small industry. For the most part, the people in the industry also makes it
are amazingly friendly. I work hard and I enjoy learning new things, but I've still      difficult. If you stop
gotten farther with the people that I know than I have with what I know.                 learning, you die. To
                                                                                         be effective, you
As a corollary to "network," I think it's important to note that information security is need to quickly
a role in a company that involves dealing with people. Brush up on your public           learn and stay on
speaking and negotiation skills. I'm much better at hacking silicon than I am            top of new
hacking carbon, but each is important. Take time to learn and practice those soft        developments on
skills.                                                                                  the bleeding edge.




                                                                                         Do not be shy to ask
                                                                                         questions, talk to
                                                                                         people you admire
                                                                                         on twitter. Realize
                                                                                         that you may say
                                                                                         something ignorant,
                                                                                         but you are
                                                                                         supposed to be
                                                                                         ignorant when you
                                                                                         start out, you are
I wish I had started on twitter sooner.                                                  learning.
                                                                                       Be prepared for the
                                                                                       not-so-fun work. I
                                                                                       really enjoy what I
                                                                                       do, when I am
                                                                                       working inside my
                                                                                       areas of
                                                                                       specialization, but
                                                                                       there are a lot of
                                                                                       projects that I have
                                                                                       to work on that
                                                                                       aren't as much fun.




                                                                                       Hard work and time
                                                                                       are required if you
                                                                                       want to succeed,
                                                                                       and you should
How hard it is to get into this field and how much it cost to learn both in time and   never stop trying to
money                                                                                  learn
                                                                                       Develop skills in
                                                                                       other areas of IT
                                                                                       (system
                                                                                       administration,
                                                                                       network
                                                                                       management,
                                                                                       development, etc.)
Risk management and threat modeling are key components to analyzing the                either before or in
specific risk a vuln is exposing a company to in any given situation.                  addition to InfoSec.
                                                                                           Make sure that
                                                                                           you've got the
                                                                                           basics down before
                                                                                           you even start
                                                                                           thinking about
                                                                                           security. Spend time
                                                                                           working as a
                                                                                           sysadmin,
                                                                                           programmer,
                                                                                           technician etc...
                                                                                           BEFORE you move
                                                                                           into security. That
                                                                                           knowledge will
It's all about the report... you can be the best penetration tester in the world, but if   come in more handy
your report sucks, so does your test!                                                      than you know!




                                                                                           Plan to work more
                                                                                           than 40 hours per
                                                                                           week for at least
                                                                                           five years. The
                                                                                           more you work, the
                                                                                           more the learn. You
                                                                                           have to learn faster
                                                                                           than your
                                                                                           competition (peers
                                                                                           for jobs *and*
                                                                                           blackhat attackers)
                                                                                           if you want to
That security is an issue of tradeoffs and not a binary of "secure" or "not secure"        succeed.
                                                                                    Take your time, start
                                                                                    at the bottom, and
                                                                                    don't rush things.
                                                                                    Stay current. Make
                                                                                    a Twitter account
Entering security is a SLOW process. You need to know a lot of stuff about a lot of and start following
things to be proficient. Being able to recite everything from the Security+ exam is other security/tech
great, but it doesn't prove that you know how to implement any of those concepts. people.
                                                                                     Get your own "lab"
                                                                                     at home, be it a
                                                                                     virtual machine
                                                                                     setup, wireless
                                                                                     equipment, etc...and
                                                                                     do your own testing.
                                                                                     If you can splurge
                                                                                     on Microsoft
                                                                                     Technet
                                                                                     Subscription and
You can't control everything and let things go...ultimately you are there for the    use those to
business. If the business decides that your concerns are not that important, so be   configure and
it - fix what you can.                                                               attack...




start learning encryption types early too, Applied cryptography by Bruce Schneier.   read more talk less.




                                                                                  Get a good broad
                                                                                  background in
                                                                                  computer science
                                                                                  fundamentals and
                                                                                  "learn how to learn".
                                                                                  Technology will
                                                                                  completely reinvent
There's more to Information Security than purely technical correctness. There are itself multiple times
business and political issues that often trump the "best" technical solutions.    during your career.
                                                                                        Learn one facet of
                                                                                        IT in depth. Learn to
                                                                                        be creative an push
                                                                                        things from a
                                                                                        different angle.
                                                                                        Tenacity because
                                                                                        the movies are not
                                                                                        real. Foster
                                                                                        personal
                                                                                        happyness. Happy
                                                                                        people are more
                                                                                        energetic and able
                                                                                        to weather tough
More programming                                                                        periods of life.




                                                                                        Learn as much as
                                                                                        you can as often as
A computer science degree from a reputable school would help greatly in                 you can. Practice to
understanding some of the higher level topics.                                          hone your skills.




                                                                                        Don't get into
                                                                                        security for the
                                                                                        money. Most, if not
                                                                                        all, of the people
                                                                                        who do this do it
                                                                                        because it's fun and
                                                                                        a challenge. It's just
                                                                                        an added bonus that
                                                                                        we get to work in a
                                                                                        field that pays us to
Nothing really. You kind of have to make mistakes and grow from them. The               break/fix/research
quicker you get used to that mindset and realize that it's the nature of security the   interesting stuff full
better off you will be.                                                                 time.
                                                                                         Commercial
                                                                                         awareness is
                                                                                         essential - read up
                                                                                         on everything you
                                                                                         can, be critical of
                                                                                         everything you read,
                                                                                         look for trends and
                                                                                         characteristics in the
                                                                                         industry. That will
                                                                                         provide a strong
The importance of being critical, as I feel that's one of the most important             advantage,
attributes. Also being aware that certifications aren't always a reliable indicator of   especially during
someone's expertise.                                                                     interviews.




                                                                                         First get very strong
                                                                                         sysadmin and
How much paperwork would be involved!                                                    interpersonal skills.




                                                                                Read. Incessantly.
                                                                                If you are never
                                                                                surprised when
                                                                                people speak to you
                                                                                about things, but
Security is a balance between risk mitigation and corporate earnings. Companies can comment with
must continue making money to pay your salary. Ergo, the best security may not specific details, you
be the right security.                                                          will build credibility.
                                                                                    Its not all
                                                                                    pentesting, many
                                                                                    times clients only
                                                                                    want scenarios or
                                                                                    policies or
                                                                                    vulnerability
                                                                                    assessments. If
                                                                                    anyone comapny
                                                                                    says all the do is
How to use many of the comercial tools that I could never afford but that some      "real" pentesting,
clients require we use.                                                             they are liars or they
Better writing skills including grammar, punctuation and technical writing skills   are broke.



                                                                                    Be passionate about
                                                                                    it, learn the ins and
I have not been here long enough to have such retrospection.                        outs of systems.




                                                                                    Learn to program
Technical writing (still learning).                                                 (scripting at least).
                                                                                      Dabble in everything
                                                                                      security-related you
                                                                                      can and try to figure
                                                                                      out what you like
                                                                                      doing best in the
                                                                                      field. Once you've
                                                                                      found it, dive in
It's simply not possible for mere mortals to be good at everything in security. Focus deep and work, live,
is key.                                                                               and breatheSecurity
                                                                                      Information it.
                                                                                      is not just Security
                                                                                      in applications and
                                                                                      networks. Its a huge
                                                                                      spectrum of areas
                                                                                      which ultimately
                                                                                      lead to security for
                                                                                      data or controls. Its
                                                                                      always good to
                                                                                      remember, to be a
                                                                                      holistic security
                                                                                      professional (more
                                                                                      specifically in
                                                                                      infosec consulting),
                                                                                      it always helps to be
                                                                                      knowledgeable over
                                                                                      a breadth of topics
                                                                                      in security
                                                                                      (SCADA,networking
                                                                                      ,appsec,mobile
                                                                                      infrastructure,etc.)
                                                                                      than trying to gain
                                                                                      deep knowledge in
                                                                                      one topic. That too,
                                                                                      not having a CS
                                                                                      background, I feel
                                                                                      this is the way to go
                                                                                      for someone
                                                                                      wanting to start a
                                                                                      career in security
                                                                                      like me! And one
an undergraduate degree in computer science or good workex in computer science other thing is
helps a lot. Sometimes you need to struggle your way out! But thats the fun!          security is all about
                                                                                     Make a friend in the
                                                                                     industry who can
                                                                                     give you a sneak
                                                                                     peak and prepare
                                                                                     yourself for the
                                                                                     attitude, attention
University is only a drop in the ocean of what is happening out there. It is well    and processes
worth duelling a university security course while also gaining on the job experience which you will
or at least researching the role of security in business simultainiously.            encounter.


                                                                                    hands on
                                                                                    experience. learn
                                                                                    system
n/a                                                                                 programming.
                                                                                    Get as close to the
                                                                                    customer
                                                                                    experience as
                                                                                    possible. Having
                                                                                    worked for vendors
                                                                                    for most of my
                                                                                    career, I know that it
                                                                                    can color your
                                                                                    perspective. If you
                                                                                    work for database
                                                                                    security vendor,
                                                                                    you'll be convinced
                                                                                    that this is the
                                                                                    MOST important
                                                                                    domain in security,
                                                                                    essentially you'll
                                                                                    become a "one
                                                                                    track mind" security
                                                                                    professional. If you
                                                                                    work within a
                                                                                    customer
                                                                                    environment or you
                                                                                    are "the customer",
                                                                                    then you'll realize
                                                                                    the full picture of all
                                                                                    of the things that
                                                                                    matter in
                                                                                    cybersecurity.
                                                                                    Alternatively, if you
                                                                                    work for a variety of
                                                                                    vendors, this can
                                                                                    also broaden your
I can't think of anything to be honest...                                           perspective.




                                                                                    Learn as much as
                                                                                    possible about a lot
                                                                                    of subjects, and try
You need to "look" professional, as much as you should "be" professional... (i.e.   to specialize in one
certifications / appearance does count as far as the costumers are concerned)       or two.



                                                                                    Learn as much as
                                                                                    you can, practice,
                                                                                    code, and use as
                                                                                    less frameworks you
That 90% of the tools are useless.                                                  can.
                                                                                     Meet everyone, and
Assembly, and that meerly getting a couple certs won't get your foot in the door     don't play politics as
like you think they will. It isn't some magical world of "Get an OSCP and get a job" much as possible.




                                                                                      Keep exploring no
How much work it was.                                                                 matter what.


                                                                                      To be more patient
                                                                                      and open-minded.
                                                                                      Try to think outside
                                                                                      the box. And start to
                                                                                      enjoy writing reports
                                                                                      because you're
                                                                                      probably about to
                                                                                      create a few of
How to write proper policies and procedures.                                          them.




                                                                                      Do it for love of
                                                                                      what you do, not to
                                                                                      make money. The
                                                                                      money is good, but
                                                                                      if you really enjoy it,
                                                                                      it's the best job in
Business skills are more important than technical skills.                             the world.
                                                                                         Pentesting might
                                                                                         stroke your ego for
                                                                                         a while, and will
                                                                                         certainly teach you
                                                                                         a lot of good shit,
                                                                                         but the world
                                                                                         doesn't really need
                                                                                         more pentesters
                                                                                         right now. If you
                                                                                         want to make an
                                                                                         impact, there are
                                                                                         plenty of unexplored
                                                                                         areas in Infosec
                                                                                         right now, that need
                                                                                         more smart minds
                                                                                         working in them

                                                                                         Don't be ashamed
                                                                                         to pay your dues in
                                                                                         sysadmin (to see
                                                                                         how admins work)
                                                                                         and tech support (to
                                                                                         see how users
                                                                                         work) first.. These
                                                                                         two groups are the
That this cyberwar shit would get this big this quickly (so I could get out of infosec   source of all your
sooner and find a less stressful gig).                                                   problems in
                                                                                         infosec.. You should
That the great majority of people in Infosec aren't as smart as you think they are,      walk a mile in their
and I should have had slightly less humility and more ambition, younger in life.         shoes.

That the 'good ideas' I had early on, really were ahead of their time, and i should      Don't be too eager
have stuck working on them: now other people have the credit for inventing them          to start your career


                                                                                         Do something else
                                                                                         in IT for a while,
                                                                                         security will still be
                                                                                         around when you're
                                                                                         done and you'll
                                                                                         enter the food chain
                                                                                         with skills that make
                                                                                         customer interaction
                                                                                         easier. It's much
                                                                                         easier to go and talk
Computer Science stuff is useful if you end up doing research. Good research             to internal folk, if
should always have academic vigor. Peer reviews etc are all part of a good               you've been in their
research project.                                                                        shoes and worked
                                                                                         on the same
From a pentest perspective, I don't own the risk, that's the clients responsibility.     technologies.
                                                                                  Find out specifically
                                                                                  what sector you
Start early, i'm 29 and not so easy now to take on a new career from scratch, and want to be in before
the associated paydrop. Also sec industry has diversified so much in the last 10  doing anything else,
years it is difficult to get an overview of what jobs are available for the       although any
inexperienced, and the technical advances have made for a steeper learning curve knowledge is good
to get into the industry.                                                         knowledge.



                                                                                        In this country: Do
Salary... and the existence of feeds of security sites like CVE, security focus, full   not start, I only work
disclosure, open source security, etc.                                                  for art's sake.
                                                                                     Network with the
Formal education is great, but it probably didn't prepare you for the realities of   pros and ask lots of
InfoSec. Certifications are mostly crap.                                             questions.




                                                                                     Don't buy training
                                                                                     certs for the sake of
                                                                                     it, they mean
Nobody knows everything about everything. Become a specialist in a limited field     nothing unless you
and that will be useful and have some longevity.                                     have firm
                                                                                     foundations in
Jack of all trades is hard to maintain.                                              InfoSEC.




                                                                                     Network.
                                                                                     Get to know people,
                                                                                     and get them to
                                                                                     know you.

                                                                                       People answer n00b
                                                                                       questions much
The relevance of physical proximity in security.                                       more willingly when
                                                                                       asked by someone
(I can hack you in the cloud from across the world, but if I can walk in and carry out they "know",
a box, I don't have to)                                                                however slightly.
                                                                                   Be a sysadmin or
                                                                                   network admin or
                                                                                   DBA first. Or, if you
                                                                                   want to do Audit, be
                                                                                   a business analyst
                                                                                   first. Don't skip the
                                                                                   hard work, or you
                                                                                   won't have the
                                                                                   basics that make
                                                                                   you useful in
                                                                                   infosec. It's not
                                                                                   about breaking stuff;
                                                                                   it's about making
                                                                                   sure it gets fixed.
No one is going to teach you or sponsor you for training. Take charge of your own And that means
life and invest in yourself. SANS work study or self study is the only way to cert knowing how it
solo w/ giac. How to build a home lab, what to do to learn. The industry needs     should work, not just
more guidance here.                                                                how it shouldn't.




                                                                                     Passion & don't
Don't focus on "technical aspects" but also the "business".                          count your time.




                                                                                     Use the eyes on the
                                                                                     back of your head.
                                                                                     Stay on top of
                                                                                     everything you can
To be strong enough and smart enough to know I was being used to make my             but don't hold on too
superiors look good. You will be used and someone will take your credit, don't let   tight or it will break
them.                                                                                away from you.
                                                                                    Don't give up, try to
                                                                                    focus on one or two
                                                                                    areas and work to
                                                                                    improve those
                                                                                    before moving on.
                                                                                    Reading "general"
                                                                                    InfoSec books is
                                                                                    good but you need
                                                                                    to know how to use
                                                                                    the tools of the
                                                                                    trade.

                                                                                    Try and work out
                                                                                    what you want to
                                                                                    achieve and
                                                                                    research.. Google is
                                                                                    your friend make the
                                                                                    most of it.

                                                                                    Join Twitter and
                                                                                    track down some of
                                                                                    the more reliable
                                                                                    twitters and listen to
                                                                                    what they say (don't
                                                                                    be afraid to have
                                                                                    your own opinions).
A good reading list
Concise information about which certifications are worth it and which aren't        Start a blog.. not for
A good forum or website to meet people and share ideas (not one full of people      fame and glory but
asking to how to hack their girlfriends hotmail account)                            more for keeping a
A list of basic requirements for each area of InfoSec (pentester, malware analyst   record of what you
etc) and yes I know it would be a big list                                          learn. Doesn't
                                                                                    matter if no one
                                                                                   Be a student, to
                                                                                   learn security you
                                                                                   don't need courses
                                                                                   or certification, you
                                                                                   need to spend a
                                                                                   LOT of time in
                                                                                   discovering things
Nothing, really, you learn well when you discover things and tried to do them by   by your own an by
your own.                                                                          practicing.




                                                                                   Only get into it if you
                                                                                   have a passion for
                                                                                   it. Otherwise you'll
When to shut up and watch others at work, learning from their actions before I     be beaten and
tread forward.                                                                     burned out quickly.
                                                                                    Write a blog, post
                                                                                    blog entries about
                                                                                    things you think
                                                                                    about, discuss with
                                                                                    others and like to
                                                                                    work with. It gives
                                                                                    you visibility in the
                                                                                    industry which is
                                                                                    small enough that
                                                                                    people can learn
                                                                                    your name very
                                                                                    quickly.

                                                                                    Write or contribute
                                                                                    to open source or
                                                                                    open materials
                                                                                    (owasp, exploit db,
                                                                                    osvdb).

                                                                                    All of the above
                                                                                    shows your interrest
                                                                                    in the industry, your
                                                                                    mindset/skillset can
                                                                                    quickly be vetted by
                                                                                    your open source
                                                                                    contributions and
                                                                                    project affiliations
                                                                                    can again help your
                                                                                    visibility in the
                                                                                    industry. AND
                                                                                    YOU'LL LEARN
Learn as much as you can all the time. Once you have kids there is no time left for ALOT FROM IT!
learning until they grow up.
                                                                              Don't wait for a
                                                                              security job to start
How much past indiscretions (background) would hinder me in future employment doing security work.




                                                                                     Learn about as
                                                                                     much stuff as you
                                                                                     can, don't limit
                                                                                     yourself to one
                                                                                     subject.. research
                                                                                     every thing and any
                                                                                     thing, and don't be
                                                                                     afraid to ask
Getting out there and meeting people, now there is so much information on the        questions.. as long
internet.. back in my day, there was no internet just BBS and text files that was 10 it's not.. teach me to
years out of date :)                                                                 hack :)
                                                          It's difficult to start a
                                                          career in information
                                                          security without first
                                                          having a
                                                          background in IT.
                                                          All too often, people
                                                          look to security for
More risk management and fundamental security concepts.   experience.




                                                          Be passionate and
                                                          learn to be
                                                          personable.
                                                          Join a group such
                                                          as ISSA and meet
How much compliance drives the industry.                  lots of security
You will live in hotels.                                  people.
                                                                                     Be tolerant of the
                                                                                     non-techs, teach
                                                                                     them, but don't talk
                                                                                     down to them. Be
                                                                                     aware that
                                                                                     sometimes, the
I wish I'd had a better idea when I started of how to communicate to non-technical   business needs
people. I spent more time than I should have trying to push tech policies through    trump security best
without properly communicating the need to the non-tech groups.                      practices.
                                                                                  Find a nitch that you
                                                                                  are particularly
                                                                                  interested in and
                                                                                  focus in on that.
                                                                                  "Security" is an
                                                                                  extremely broad
                                                                                  word, and you can
                                                                                  go in circles if you
                                                                                  try to learn it all.
                                                                                  Once you become
                                                                                  good at that nitch,
                                                                                  you can decide to
                                                                                  become an expert in
                                                                                  it (and push the
                                                                                  research forward) or
                                                                                  move on to
                                                                                  something else.
                                                                                  Now you will have
More programming skills. Regardless of what people say, you should start there.   two skills. :)




You need to network!                                                              Dont get into it for
Networking is key                                                                 the money
There is great incentive for vulnerabilities to be ignored by those who created the
products. Do not expect vulnerability reports to be handled well, or nicely, or in a
timely fashion. Expect a fight.




#1 Scripting/programming

#2 More Business knowledge
                                                                                       Work hard and
#3 How amazing people are at doing security badly.                                     passionately
                                                                                       enough that you
                                                                                       attract mentors.




                                                                                       Learn to program
                                                                                       then to hack, not
                                                                                       other way around.
                                                                                       Also play alot of
                                                                                       online hack games
                                                                                       that require you to
                                                                                       use XSS, SQLi,
It's all about web, low level ASM is nice but not very useful.                         XSRF, etc.
Also, 9/10 sites are crap and vulnerable.
                                                                                     Don't quit, and don't
                                                                                     get stovepiped into
                                                                                     one expertise for too
                                                                                     long. You'll get
Bash- but you have to start somewhere.                                               burned out and want
That every exploit released/discovered is due to experience, persistence, or luck;   to go into
or all three. If you don't have experience then persistence is a requirement.        management. ;)




                                                                                     Move to northern
                                                                                     VA or central MD
                                                                                     and get a security
I wish I had known how to negotiate my salary.                                       clearance.



                                                                                     Get a degree if you
                                                                                     want but what's
                                                                                     really important is
                                                                                     practical
                                                                                     experience...that
                                                                                     and who you know.
                                                                                     Also, if you're a
How much women are unwelcome in this field as anything but window dressing.          woman, prepare to
Seriously.                                                                           be hated.
                                                                             Find what you love,
                                                                             and follow it. don't
The programming Languages are valuable. That security has many sub groups,   go after what the
that are completely different.                                               new hot thing is.


                                                                             I think particularly if
                                                                             you are going to
                                                                             work on defense
                                                                             having a broad
                                                                             background is
                                                                             almost necessary in
                                                                             order to effectively
                                                                             work in an
                                                                             organization.
                                                                             Security has
                                                                             broadened out so
                                                                             know about yourself
                                                                             and what
                                                                             environments you
                                                                             will be successful in,
                                                                             then pick an
                                                                             appropriate area.
                                                                             Also security is a
                                                                             filed that is always
                                                                             changing and
                                                                             requires constant
                                                                             learning. If you are
                                                                             looking for a field
                                                                             where a few years
                                                                             of intense study and
                                                                             work gets you 30
                                                                             years of career this
                                                                             is probably the
                                                                             wrong field.
                                                                             However if you like
                                                                             change and
                                                                             continual learning,
                                                                             jump in.
                                                                                  Keep play with the
                                                                                  software that is out
Concentrate more on some sort of programming skill and sticking with it. Perl     there and try to
would have been great to know. I remember when Python first came out...I wish I   understand what it
would have picked that up.                                                        does, why it does it
                                                                                  and how to defend
                                                                                  against it.
                                                                                  To get involved in
                                                                                  different projects
                                                                                  and contribute,
                                                                                  there are a lot of
                                                                                  open source
                                                                                  projects you can
                                                                                  contribute to in
                                                                                  different ways.
                                                                                    Don't start in
                                                                                    information security.
                                                                                    Start with learning
                                                                                    everything you can
                                                                                    about networks,
                                                                                    authentication
                                                                                    technologies, Active
                                                                                    Directory, web
                                                                                    applications, Linux
                                                                                    etc. and then move
                                                                                    into security.
                                                                                    Having a good
                                                                                    foundational
                                                                                    knowledge of how
                                                                                    things work makes
                                                                                    you a better
                                                                                    explorer and
                                                                                    assessor how to
                                                                                    make things not
                                                                                    work, or work in a
                                                                                    way different than
It is important to know how to work as a team, and how to deal with other people in expected, or where
your company on security issues in a constructive fashion, as they will not always weaknesses may
take what you say as gospel.                                                        lie.

                                                                                       Security is a
                                                                                       mindset not a
                                                                                       knowledge base.
                                                                                       You need to learn to
                                                                                       think about how
                                                                                       things break and
                                                                                       you need to have
                                                                                       that twisted
                                                                                       mentality that sees
                                                                                       the potential for
                                                                                       exploitation in every
                                                                                       situation. This
                                                                                       applies even if you
                                                                                       never work as a pen
                                                                                       tester. You can
                                                                                       never defend what
There's no "right" way to get into security... There are just opportunities that you   you don't know how
can jump at...                                                                         to exploit.
                                    Patience and
                                    discipline. Do your
                                    own work, self start.
                                    Find interesting
                                    thinkers in the field
                                    and absorb
                                    everything that they
                                    say/write. Break
                                    stuff and try to fix it.
                                    Also thinking about
                                    things in terms of
                                    security will always
Save all the code that you write!   help.
                                                                                   Work your ass off!
                                                                                   Everyone else does
How how hard it would be to stay at the top of your game and have a family (with   so you better get
kids, not dogs as some security people prefer).                                    used to it.
                                                                                       Learn two things: 1)
                                                                                       the language of
                                                                                       business and 2)
                                                                                       how to gauge
                                                                                       relevancy (i.e. some
                                                                                       things aren't worth
How important it would be to use LINUX tools to generate metrics, presentations        the fight because
and data visualization. If you can't talk the language of business all the technical   they aren't relevant
jargon you got won't do you any good.                                                  to the business)

                                                                                       There is no locality
                                                                                       in any company
                                                                                       back to the
                                                                                       employee. They are
                                                                                       usually being run by
                                                                                       non-empaths. Get
                                                                                       every cert and other
                                                                                       marketable
                                                                                       education as
How one bad boss can ruin one's career.                                                insurance.

                                                                                       Get all the
                                                                                       experience in
                                                                                       Network
                                                                                       Administration and
                                                                                       possibly
                                                                                       programming
                                                                                       possible. Being able
                                                                                       to communicate and
                                                                                       present is key.
                                                                                   Start your interest
                                                                                   and obsession in
                                                                                   security far before
                                                                                   attempting to break
                                                                                   in.
                                                                                   Experiment, test,
                                                                                   secure, break, live
                                                                                   it. It has to be a
                                                                                   hobby for you to
                                                                                   succeed, and I
                                                                                   believe that a lot of
                                                                                   employers are
                                                                                   looking for that
                                                                                   quality in their
Compliance standards and good reporting standards to show worth.                   security individuals
How active the Twitter InfoSec community is.... it's priceless.                    now.




                                                                                   Get in bed with the
                                                                                   operations and
                                                                                   finance people (not
Customers think their safe until you show them otherwise, however when it fails,   literally, however
even when you warned them, it is your mistake.                                     this might also help)
                                                                                         If you are not in a
                                                                                         Security position but
                                                                                         want to be, prove
                                                                                         yourself by
                                                                                         demonstrating an
                                                                                         interest. Study,
                                                                                         train. Request
                                                                                         courses that lead to
                                                                                         certification. Don't
                                                                                         fall for the whine
                                                                                         that certs are just
                                                                                         paper. The
                                                                                         employers are using
                                                                                         them to separate
                                                                                         out the chaff and
                                                                                         see who is working
                                                                                         on their profession.
                                                                                         But, you must have
                                                                                         some kind of
                                                                                         serious technical
                                                                                         chops and
                                                                                         experience to even
                                                                                         show up on the
                                                                                         radar!

                                                                                         Learn Linux. The
                                                                                         best security tools
                                                                                         are based on it.
                                                                                         Understand
I lucked out on this - but I didn't 'know' it. Study Security all the time.              networks. Learn IP
                                                                                         addressing, learn
It will be very hard to find a Security position until businesses begin to realize how   packet reading,
necessary it is right now.                                                               understand security




                                                                                     Be prepared to work
                                                                                     on communication
                                                                                     skills
                                                                                     Pick your battles
                                                                                     Try to keep
                                                                                     business
                                                                                     justification in mind
* Programing in Python                                                               at all times, make
* Understanding that no one has anything figured out; So far its very much a 'make sure you understand
it up as you go' industry still. Don't let vendors convince you that anyone has turn any available
key solutions.                                                                       compensating
                                                                                     control
                                                                                     Be prepared to get
                                                                                     disapointed. Not by
                                                                                     the work in itself, but
                                                                                     by those with power
                                                                                     who doesn't
I wish I'd learned to code earlier. I'm doing some Perl and I'm looking to start     understand, or want
learning Javascript, but man it's hard to find the time when you've got kids and a   to understand, the
full time job.                                                                       need for security.




I wish I would know the organisation name either small or big players, and the       Get you stuff, show
roles I would expect to get as a fresher with the job profile and starter salary.    your skill, and have
                                                                                     patience
                                                                                   Show the key
                                                                                   players that you are
                                                                                   interested.
                                                                                   Volunteer for
                                                                                   anything that is
                                                                                   security related as
                                                                                   the experience will
                                                                                   never be wasted
                                                                                   and you'll get
                                                                                   noticed. Network -
                                                                                   security is a small
Security is a field which is split between Governance, Audit and Technical. Choose sector where you'll
carefully which one you want to get into. You also need to be competent in all     get to know the key
three.                                                                             folks




That programming really is an essential key to understanding what is really going
on under the hood. Scripting is golden when doing pentests and it is MUCH           Learn everything
needed.                                                                             you can.




                                                                                    invest in your
                                                                                    learning. Not
                                                                                    necessarily in
                                                                                    money or formal
                                                                                    learning, but read,
                                                                                    practice and try stuff
how good the community is, always willing to help out                               out
                                                                                    Prepare for people
                                                                                    to ignore your
                                                                                    recommendations.
                                                                                    When you show
                                                                                    how something can
                                                                                    be exploited, be
                                                                                    prepared to hear
People say they want security. They really don't. At most, they don't want to be    something akin to
hacked and they usually need to meet a level of security as defined by a            "that would never
compliance body, such as PCI. PCI does not equal good security.                     happen to us".


                                                                                    Put your own project
Pen testing is not so glamorous as it appears                                       on github
                                                                                      There are many
                                                                                      paths one may
                                                                                      travel in the field of
                                                                                      info sec, but all will
                                                                                      likely use the
                                                                                      fundamentals of
                                                                                      security. I would
                                                                                      recommend that
                                                                                      someone starting a
                                                                                      career in info sec
                                                                                      learn about the
                                                                                      fundamentals. For
                                                                                      me, it was getting
                                                                                      my CISSP. Not that
                                                                                      the cert proved I
                                                                                      have a fundamental
                                                                                      understanding, but
                                                                                      rather the process
                                                                                      of studying for the
                                                                                      CISSP I gained a lot
                                                                                      of foundational
                                                                                      knowledge that has
                                                                                      helped me in my
                                                                                      career in
                                                                                      understanding why
                                                                                      certain controls
I wish I had started out doing pen testing much earlier in my info sec career. It has exist, and why they
been the most enjoyable. I also wish I had spent more time on web infrastructure work they way they
and architecture.                                                                     do.




I'm new to security. I wish I would have known how much of an uphill battle it can
be to make changes because people tend to see security as a barrier to their jobs.




                                                                                      Understand it first,
                                                                                      get at least a
                                                                                      Security+ and
                                                                                      CISSP cert if you
                                                                                      don't work for a
where to go to bid on contracts                                                       specific vendor.
                                                                                       Get involved -
                                                                                       whether it be going
                                                                                       to conferences,
                                                                                       local meetings, or
                                                                                       working on projects
                                                                                       in the InfoSec
                                                                                       community.
                                                                                       Also self study -
                                                                                       keep up with what is
                                                                                       happening in the
                                                                                       InfoSec industry as
                                                                                       there is always
As I am still attempting to gain a foothold in the InfoSec industry, I would have to   something new to
state that everything I have laernt so far is important.                               learn.




                                                                                       it doesn't happen
                                                                                       overnight. do it
                                                                                       because you love
                                                                                       what you do, not
                                                                                       because you think it
i don't know how to answer this.                                                       will be cool.
                                                                                        Study, practice, and
                                                                                        learn all you want to
                                                                                        learn while you're
                                                                                        young. It's much
                                                                                        harder to devote
                                                                                        time to it when you
                                                                                        have a full-time job,
I still don't know as much as I like to know. But that's okay. Life is a journey. I'm   wife, kids. and other
trying to enjoy the ride rather than focus on the destination.                          responsibilities.




                                                                                        don't fucking do it.
                                                                                        get a more
                                                                                        satisfying job like
that this industry is evenutally getting offshored for the most part                    crack dealer




                                                                                        read up and also
                                                                                        run lots of vms - test
just do it! get more web based and diversified. get organized.                          test test
                                                                                         Get involved; There
                                                                                         are many options
                                                                                         that are free like
                                                                                         twitter, bsides, etc.

                                                                                         Also, check with
                                                                                         your college job
                                                                                         board for part time
                                                                                         or internship
                                                                                         positions (assuming
                                                                                         that you're still in
                                                                                         college) for
                                                                                         additional starting
                                                                                         jobs




                                                                                         Learn. you need to
                                                                                         be eveything. You
                                                                                         need to know the
                                                                                         networking
                                                                                         equipment, you
                                                                                         need to know the
                                                                                         OSes, you need to
                                                                                         know the Apps. You
                                                                                         need to know how
                                                                                         they should go to
                                                                                         together so you
                                                                                         know when they're
                                                                                         not working.

                                                                                         You also need to
                                                                                         study both sides of
                                                                                         the coin. I like the
                                                                                         Blue side, but that
                                                                                         doesn't mean I
                                                                                         haven't spent time
                                                                                         wearing a red hat,
                                                                                         or playing like a
                                                                                         script kiddie.
Really, I feel like I'm still learning as I go. I've been around security for 15 years
and have picked things up along the way. One thing I would have liked to see 15          You should also
years ago, was Jason Street's book. It would have been great to have a more              have a lab to play
focused this is everything that can be done view.                                        with
                                                                                  Start slow, surround
                                                                                  yourself with smart
                                                                                  people and NEVER
                                                                                  stop learning. If you
                                                                                  do this you will push
                                                                                  yourself harder and
Recruiters are useless. Dont talk to them, go to the source. Do this stuff for    accomplish more in
cheap/free for a couple of years if that will get your foot in the door.          a shorter time.




                                                                                  School, classes,
                                                                                  more school. Just
                                                                                  because you have a
                                                                                  cert doesn't mean
Programming will come in handy. I still can't program myself out of a wet paper   you know what the
sac, though I can usually modify a bash script...                                 hell you're doing.
                                              Look at the options
                                              that security offers,
                                              analyze your skills
                                              and hone whatever
                                              new skills are
                                              required to get into
                                              that area.

                                              And keep
                                              networking.

                                              I have to quote muts
                                              of Offensive
                                              Security on this,
The many offerings for a career in Infosec.   "Try Harder"
                                              Get used to working
                                              long hours,
                                              customers who are
                                              hard work and
                                              report writing skills.
                                              Also learn how to
                                              explain things in
Reporting is a killer.                        plain English.
                                                                                  Find the local
                                                                                  security people. Go
                                                                                  to hackerspaces,
                                                                                  happy hours,
                                                                                  speaking events
                                                                                  and vendor events.
                                                                                  If you don't have
                                                                                  local security people
                                                                                  move somewhere
                                                                                  that does. You can
                                                                                  do it alone but it will
                                                                                  be a lot harder than
It isn't as hard as you think it is.                                              it has to be.




                                                                                  It's all about your
                                                                                  attitude, skills can
                                                                                  be learnt but if you
                                                                                  don't have an
                                                                                  inherent suspicion
                                                                                  of everyone then
That I'd still be doing basically the same work 15 years later (reviewing logs,   you'll never
firewall configurations, writing and improving policy, educating users)           succeed.
                                                                                  Try to find a mentor.
                                                                                  There is so many
                                                                                  layers to information
                                                                                  security and figuring
                                                                                  out where and what
                                                                                  you want to do
I wish I knew how approachable people where. Doing a lot of things on your own is might be very
very difficult and having people to bounce ideas off is amazing.                  challenging.




                                                                                     make sure it is what
                                                                                     you want and that it
                                                                                     fits you. try it out,
                                                                                     the learning curve is
                                                                                     steep and you have
                                                                                     to stay on top of
                                                                                     things but I have
where all the resources are and how to navagate them. (links, blogs, ect)            found it to be the
how to find people in my area also intrested in security (ISSA, local Defcon groups, most meaningful
etc)                                                                                 and enjoyable work.
                                                                                   If you're not willing
                                                                                   to work on your own
                                                                                   time to build a test
                                                                                   lab and try out these
                                                                                   things you read
                                                                                   about, you probably
                                                                                   won't be happy in
                                                                                   the industry.




Start with learning a programming language first. (when I came in the security
world, I didnt have any experience with programming)                               /



Find a good practical way of disclosure. Dont hack others stuff. Set up your own
lab. Write papers. Get involved in communities                                     Learn to program
                                         Don't focus your
                                         time and effort into
                                         just knowing this
                                         attack or that
                                         vulnerability. You
                                         need a good solid
                                         understanding of
                                         computing in
                                         general (TCP/IP,
                                         Operating Systems,
                                         Protocols) to have a
                                         decent shot of
                                         getting into Security.
                                         The market is full of
                                         people who have
                                         taken the CEH or
                                         even a GIAC cert or
                                         two. However
                                         knowing the nitty
                                         gritty details of
                                         protocols and how
                                         things work will set
                                         you apart in my
Nothing that sticks out at the moment.   experience.
                                         I would recommend
                                         one of two paths,
                                         the first is
                                         internship, if you
                                         can demonstrate a
                                         strong
                                         understanding of the
                                         field and a
                                         willingness to learn
                                         you will find the
                                         specialist
                                         companies will try to
                                         retain you.
                                         Alternatively head
                                         into the general IT
                                         field and build a
                                         relationship with the
                                         security team and
                                         try to establish
                                         yourself as a strong
                                         potential candidate
                                         for when the
                                         security team are
                                         recruiting.
                                                                                get certifications,
                                                                                they are the only
                                                                                thing that people will
                                                                                recognize when you
                                                                                are starting your
                                                                                career. a lot
                                                                                recognition is given
                                                                                to year of
                                                                                experience, but can
                                                                                still mean knowing
                                                                                nothing. certs are
high end security consulting companies and exactly what companies are providing not the end all be
security testing services                                                       all, but they help.
                                                                                     Fuck around. Don't
                                                                                     go i want ot be X
                                                                                     since you honestly
                                                                                     don't really know
                                                                                     what X is. Play with
                                                                                     many fields, VR,
                                                                                     crypto all of itlook
                                                                                     and figure out how it
Talk to people and don't be shy. Paranoia is great except it won't get you very far, works. Don't
social is better. Don't social engineer actually grab a beer and exchange ideas.     pigeonhole.



                                                                                      Take initiative. Like
                                                                                      any other career
                                                                                      field, don't expect
                                                                                      anything to be
                                                                                      handed to you.
                                                                                      Nobody gets paid to
                                                                                      be a novelist without
                                                                                      first having written a
                                                                                      novel. Nobody gets
                                                                                      paid to be an exploit
                                                                                      developer without
                                                                                      having first written
                                                                                      exploits.

                                                                                       Second piece of
                                                                                       advice (I know, you
                                                                                       just asked for one,
                                                                                       bill me later) is to
                                                                                       communicate well.
                                                                                       Write, speak, blog;
                                                                                       nothing cool you
                                                                                       figure out will go
                                                                                       anywhere unless
                                                                                       you communicate
I didn't really get the different subcultures of security world. Get familiar with the that effectively to
differences between law enforcement, hacking, and government contractor worlds people who can
to name a few. Think about where you can/want to fit in.                               take action on that.
                                                                                      Get a degree,
                                                                                      preferrably non-
                                                                                      technical
                                                                                      (Ethics/Philosophy,
That what I was doing was security :)                                                 Law, Economics) or
For quite a while I didn't know what field I was in (which made it hard to progress   engineering.
the career)




                                                                                      There will be
                                                                                      information overload
                                                                                      when you start.
                                                                                      Unless you set
                                                                                      goals you will keep
                                                                                      wavering and will
You have to give enough time for each and everything....you cannot learn              find it hard to stay
everything.                                                                           on course




                                                                                      Get involved.
                                                                                      Get good at
                                                                                      systems
                                                                                      management.
                                                                                      Get a network in
                                                                                      your local sec
How easy breaking in is.                                                              community.
How badly America sux at doing network security
COMMENT 1: note that in DoD, "security" means OPSEC, classified versus
unclassified, people's clearances, background checks, stuff like that. It generally
does NOT mean network offense or defense. In DoD, that is referred to as
Information Assurance. Information Security is something entirely different.
"Security" is largely non-technical, mostly people oriented.                          Dont....its a losing
COMMENT 2: "would you mind...." answering "yes" means that I *would* mind,            battle....there are a
whereas you have !pedantically set yes to mean that I would *not* mind being          lot more of *them*
contacted.                                                                            than there are of us.




When i started out was naive to "company politics", so always CYA, the company
does not have your best interest in mind. But always treat your employer with         Understand
respect, even when you leave. Especially in a small country, everyone knows           business, marketing
everyone things get around and us Security dudes like to gossip.                      and financials




                                                                                      Dive in, rtfm, give
About the security clearance process                                                  back




How political security was.                                                           Be very humble.
                                                                                    Stick to it. It's hard
                                                                                    but fun. Get a group
                                                                                    of colleges that you
                                                                                    can bounce ideas
                                                                                    off of. Setup a
                                                                                    testing/dev
Where to start! There's just so much information...                                 environment.




                                                                                    Education,
                                                                                    certification,
Dont try to learn it all at once. Pick something you are interested in and really   practice and
learn that area.                                                                    networking are key.




                                                                                    Mastering at least C
                                                                                    and a scripting
                                                                                    language like
                                                                                    Python or Ruby.
                                                                                       Don't wait! I wasted
                                                                                       several years trying
                                                                                       to get in slowly, earn
                                                                                       certs, etc. I finally
                                                                                       just went and found
                                                                                       a new, entry-level
                                                                                       job and went with it.
                                                                                       Better to do so early
                                                                                       rather than later and
                                                                                       get your foot in the
                                                                                       door. If you
                                                                                       eventually find out
                                                                                       it's not for you, well,
                                                                                       then change up
                                                                                       later. But if you don't
I looked at security much more like something that was equated with pen testing        go in with the
but it's so much more. There are so many areas that involve security, it is hard to    mindset to go all the
pick one. I think people put the glamor on pen testing because it's neat, but Blue     way, you'll just end
team work is fun as well.                                                              up half-assing it.




                                                                                       Never ever think
                                                                                       something is
Assembler, x86 and arm                                                                 impossible.




                                                                                       Learn a strong base
                                                                                       in IT. If you can't
                                                                                       admin it you can't
                                                                                       secure it. Also no
                                                                                       one wants a novice
                                                                                       security guy so
                                                                                       internal transfer will
                                                                                       get you the foot in
That will out a degree you will hit a top in pay / job - it has more long term value   the door for the next
than people see if your only looking at the short term.                                job.
                                                          If you love it do not
Windows administration (still learning a lot of stuff).   start it.




                                                          Be willing to spend
                                                          the time learning
                                                          new tech
You don't have to know *everything* to get started in InfoSec. It's important to
have a good understanding of 'how things work', and also how to research any
specific problem you face.




                                                                                   Read and learn.
                                                                                   Don't memorize
                                                                                   what you read but
                                                                                   actually learn it and
Scripting                                                                          how to apply it.




                                                                                   Code and hack non
                                                                                   stop untill you are
                                                                                   very confident, and
                                                                                   don't start as a white
Don't cheat things                                                                 hat.
                                       be on twitter and
                                       engage in the
how to network more                    conversations




                                       test and practice
                                       everything - use a
certifications only help get past HR   vm
                                                                                      The business owns
                                                                                      its own decisions.
                                                                                      Your responsibility
                                                                                      is to provide them
                                                                                      accurate and timely
                                                                                      information and
                                                                                      recommendations to
                                                                                      make a risk based
"Progress, not perfection."                                                           decision.




                                                                                       Think like a hacker.
                                                                                       If you can't get into
                                                                                       the mindset of
                                                                                       someone who wants
                                                                                       to break into your
                                                                                       systems, you will
                                                                                       have a hard time
                                                                                       attacking
I wish I'd known how fast the industry was going to evolve so that I could have        (pentesting) or
stayed on top of it instead of moving outside the industry. Starting out with no tools defending (sys-
and now seeing all the automation and tooling available, it's difficult to know where admins). The rest
to get back in.                                                                        will come naturally.




                                                                                      Its all about
                                                                                      knowledge. People
How much work the reports are.                                                        and Tech!
                                                                                      see porn




Understanding that all jobs have their drawbacks and it's worth thinking about what
you particularly enjoy (and dislike) when picking roles.
                                                                                      Be active in the
That said, to an extent, that's something people have to experience for               community. Write a
themselves.                                                                           blog, research
                                                                                      things and publish
Also after a certain level, getting ahead is as much who you know as what you         them, keep learning
know.                                                                                 things.
I wish I would have known about virtualization and interactive hacking challenges
like hackthissite.org.
                                                                                      Make sure it is your
If I'd have explored virtualization more (although it was 1999 when I was trying to   passion. This field
learn this stuff) I could have setup a nice lab environment to play around in.        requires a life-long
                                                                                      commitment to
When I discovered hackthissite.org, it rapidly improved my skills. Fun and            keeping your
educational!                                                                          knowledge current.




No need to waste 6,5 years studying computer science ...                              Stay legal!




                                                                                      Keep learning. You
                                                                                      can never ever
                                                                                      know enough.
                                                                                 Read, a lot. Build a
                                                                                 lab. Do some SANS
                                                                                 training. Try not to
                                                                                 get too disheartened
                                                                                 by the level of
                                                                                 complexity you see
                                                                                 on Security related
                                                                                 blogs. 9 times out
                                                                                 10 the author is just
                                                                                 trying to make
                                                                                 himself sound more
The ability to dumb down the technical jargon to encourage my employer to take   intelligent than he
the security issues we have more seriously.                                      actually is!




                                                                                 Have passion and
                                                                                 don't be afraid to
                                                                                 show it. It's
                                                                                 something I
                                                                                 specifically look for
                                                                                 when hiring or
I wish I had focused on programming more when I was a student as I think that    looking for someone
would help me a little more now.                                                 to collaborate.




                                                                                 Don't be a prima
                                                                                 Donna. Ask for
Intuition is important                                                           advice and input
                                   learn how to
                                   program in C then
                                   write basic scripts in
                                   bash/python
                                   read about TCP/IP
                                   try to get basic
                                   certs: GSEC,
programming and system internals   Security+, CCNA




                                   Get as many
                                   certifications as you
                                   can and then go
                                   after experience.
                                   Promote your
                                   abilities through
                                   social media and
                                   get involved in the
Focus on a specific area.          community.




                                   be precise in what
n/a                                you do
                                                                                    Learn about
                                                                                    technology first;
                                                                                    securing it will come
Everything.                                                                         later.




                                                                                    Be social. Give
                                                                                    back to the
                                                                                    community.
                                                                                    Contribute on github
                                                                                    to open source
                                                                                    projects. Write a
                                                                                    blog. Use twitter.




                                                                                    Read books, posts
                                                                                    and listen to
I should have done pen testing sooner, as I'm a far better security manager now I   podcasts all the
can break and fix things cheaply rather than a checkbox approach.                   time.



                                                                                    Learn as much as
                                                                                    you can and keep a
That infosecurity can be really frustrating...                                      creative mind
                                                                          get a BS in
                                                                          computer science.
                                                                          you need the
                                                                          fundamentals
                                                                          before you can
                                                                          understand the risks
                                                                          and how software
                                                                          and hardware are
                                                                          broken otherwise
                                                                          you'll end up a script
                                                                          kiddie who just
                                                                          leverages other
                                                                          people's code and
                                                                          have no clue how it
                                                                          works or what to do
To pay much more attention in assembly and advanced programming classes   if it doesn't work.
                                                                                      Don't focus on
                                                                                      security. Focus on
                                                                                      mastering various
                                                                                      technologies
                                                                                      thoroughly. Once
                                                                                      you understand how
                                                                                      something works,
                                                                                      you will be able to
                                                                                      both secure it and
                                                                                      break it. Be patient
                                                                                      and don't rush into
                                                                                      security. Spend
                                                                                      some time working
                                                                                      with systems and/or
                                                                                      networking
                                                                                      professionally. This
                                                                                      additional
                                                                                      perspective will pay
                                                                                      off immensely in the
                                                                                      long run.

                                                                                     Other pieces of
                                                                                     advice? Improve
                                                                                     your soft skills and
Linux and assembly. I feel like I've been working backwards for several years. My understand
Linux skills are pretty good now, but this year I'm focusing on assembly and exploit business concepts.
development. There's no substitute for genuinely knowing what goes on behind the Don't isolate
scenes and not having to rely on tools.                                              yourself. You'll limit
                                                                                     your career if you're
The Coding for Penetration Testers book is a highly recommended starting point       afraid to leave your
for any newbie (and it's great for more advanced users as well).                     bubble.




                                                                                      Do it, get following
                                                                                      on twitter etc, you'll
                                                                                      learn a lot, and you
                                                                                      have a lot to learn, I
Previous systems I had setup weren't as secure as I thought!                          know I still do!
                                                                                      practice your writing
                                                                                      and communication
                                                                                      skills. in many
                                                                                      ways, they are far
                                                                                      more important than
                                                                                      pure technical skills,
                                                                                      because ultimately
                                                                                      the way to deliver
                                                                                      value to people is to
                                                                                      clearly explain the
                                                                                      problems and how
                                                                                      they can be
                                                                                      resolved.

                                                                                      also, try to avoid
                                                                                      getting caught up in
                                                                                      the "conference
                                                                                      scene". it's an echo
                                                                                      chamber that often
                                                                                      creates more
just how f'ed up internal IT security departments can be. having always been an       problems than it
outside consultant it was easy to not realize how painful things are on the inside.   solves.




                                                                                      If you are starting to
                                                                                      learn security, make
                                                                                      sure you know the
                                                                                      basics first. All it is,
                                                                                      is technology from a
                                                                                      different
                                                                                      perspective. See
                                                                                      last example.

Some of the best people in security are people you have never heard of.               If you want a career
                                                                                      change to security
I did this myself but see others skip this, make sure you know the basics before      practice some
you try the big boy toys.                                                             hacking techniques
                                                                                      and do some
example:                                                                              challenges. This
Learn what an exploit is before use metasploit (at least EIP overwrite)               has to be specific to
Learn TCP/IP stack before you use nmap                                                what type of security
Learn at least 1 language no matter how simple the language is.                       you want to get into.
                                                                               Persevere, one
                                                                               single step at a
Don't know.                                                                    time.




Nothing really matters except undestanding the methodology and the fact that you Know 27001 and
can't know everything.                                                           cobit

                                                                               Lots of research,
                                                                               practice and
                                                                               experience. get a
                                                                               good grounding in
                                                                               all areas.
                                                                               Understand the
                                                                               ethics of what you
                                                                               know and do.
                                                                               Always know where
                                                                               the line is.
                                                                               Learn to use tools
                                                                               and develop your
                                                                               own
                                                                               techniques/methodo
                                                                               logy.
                                                                               Understand that
                                                                               someone will always
                                                                               do or figure out
                                                                               something that you
                                                                               haven't thought of.
                                                                           Understand how to
                                                                           admin the network
                                                                           and systems first,
                                                                           understand the
                                                                           users perspective
                                                                           and then start with
                                                                           security to better
                                                                           understand the
                                                                           balance. You can
                                                                           lock something
                                                                           down so much it is
                                                                           un useable, without
                                                                           that background in
                                                                           the day to day tasks
                                                                           running them you
                                                                           may not understand.
                                                                           Also, the biggest
                                                                           thing I find doing
                                                                           internal vuln tests at
                                                                           my work is
                                                                           misconfigurations
                                                                           which I know about
                                                                           because I admin'ed
                                                                           those types of
                                                                           devices. (IE
                                                                           netapp with the
                                                                           default ifs share that
                                                                           contains the /etc dir
                                                                           which you can
                                                                           mount r/w) There
When I started out in computers, the correct way to program and a better   is no nessus check
understanding of programming basics.                                       for that




                                                                           read ALL THE
                                                                           THINGS. But
                                                                           seriously, read what
                                                                           people are
                                                                           producing, be social
                                                                           and try things for
                                                                           yourself. Bring your
                                                                           own style to the
It's not all about the 0 Day.                                              table.
                                                                                    Get a good
                                                                                    grounding of
                                                                                    fundermental
                                                                                    networking and
                                                                                    WebApp
                                                                                    technologies. Start
                                                                                    learning the various
My Degree wasn't really that worth while for this industry. The Degree's now are    techniques on
better because you get some that focus on the security elements of IT. Back when OWASP and the
I did my degree it would have probably been better to not have bothered and         like. Download
instead started to learn the trade and I would have been further along in my career some of the attack
by now.                                                                             labs and practice.




                                                                                   Be curious, and
                                                                                   persistent. Reach
                                                                                   out to others, either
                                                                                   via 2600 meet ups,
                                                                                   or some other place
Hack more, and don't think things are out of reach. You can learn what you put     where you can meet
your mind and heart into learning. Be on helpdesk someday, this is not just a job  others. Learn to
for the administrators. You learn more from helping users with their problems than carry a conversation
you may think.                                                                     and how to listen.
Get on twitter!!!!!!!!!!                                 Get on twitter!!!!!!




                                                         Learn about
                                                         everything better
                                                         than anyone
                                                         Be passionate,
                                                         continue to learn,
                                                         self educate.
                                                         No training is
                                                         enough apart from
                                                         self-education and
                                                         effort.

Connections, good people to learn and share knowledge.   Understand
                                                         bussiness.
                                                           Start someplace
                                                           else where you can
                                                           make money and
                                                           then get into it from
Management is for pussies, stay close to the technology.   there.
                                                                                    Connections. Join
                                                                                    the ISSA and IEEE
                                                                                    as a student, and
                                                                                    immediately begin
                                                                                    to build mentor and
                                                                                    colleague
                                                                                    relationships.
                                                                                    These organizations
                                                                                    will also help with
                                                                                    certification training
                                                                                    and keeping pace
                                                                                    with industry trends.

                                                                                    For example, my
                                                                                    chapter of ISSA
                                                                                    received a visit from
                                                                                    RSA last fall with a
                                                                                    breakdown of their
Marketing, and industry organizations like ISSA, SANS, and ISACA. It's not what breach, and lessons
you know a lot of the time, but how you can market yourself, especially as a female learned and
in a very male dominated sector.                                                    recruitment offers.




I don't know.                                                                       Learn a lot.




                                                                                    Learn all you can
                                                                                    about networking
                                                                                    and learn how to
                                                                                    script proficiently,
                                                                                    find a mentor and
                                                                                    get involved in the
Networking.                                                                         community.
                                                                                  Enjoy what you're
                                                                                  doing -- It's the most
                                                                                  important aspect of
A better understanding for weighting "theoretical risks" and "business impact".   success.



                                                                                  Start with a solid
                                                                                  foundation in
                                                                                  networking, systems
                                                                                  administration,
                                                                                  Linux and a decent
                                                                                  programming
                                                                                  language like Ruby
                                                                                  or Python.




                                                                                  Hope you have
                                                                                  great reading,
That programming has a significant place and should be encouraged if not          comprehension, and
required.                                                                         retention skills.




                                                                                  Dedication is the
                                                                                  key, and
                                                                                  specialization too.
                                                                                  Choice one area
                                                                                  and focus then.




                                                                                  But a copy of the Art
                                                                                  of Exploitation (or
                                                                                  similar), work
Just how worthless the "big" certs are. CISSP/C|EH, etc. I would have spent the   through it, and see if
time studying for those on self-learning given the right pointers                 you're in love with it.
                                                           Don't.

                                                           Please do not join
                                                           this field if you are
                                                           not willing to learn
                                                           or keep an open
                                                           mind. A
                                                           CISSP/IAM/IEM/CIS
                                                           A/CISM does not in
                                                           any shape, way or
                                                           manner make you
                                                           good a security
                                                           professional.

                                                           I have seen too
                                                           many security
                                                           "consultants" that
                                                           cannot find their
                                                           way out of their
                                                           home directory on a
                                                           Linux machine.

                                                           A keen eye for
                                                           things, the ability to
                                                           work independently
                                                           and an open mind
That this industry really does run on passionate people.   would.
                                                                                     Same as above:
                                                                                     There's always far
                                                                                     more to learn than
                                                                                     there is time to
                                                                                     learn, so pick
                                                                                     something that
                                                                                     interests you and
                                                                                     dig into it. Don't
                                                                                     worry if it's directly
                                                                                     relevant to a
                                                                                     particular job.The
                                                                                     value for you is
                                                                                     developing your
                                                                                     mindset, and a
                                                                                     deeper
                                                                                     understanding of
                                                                                     some specific topic.
                                                                                     Those lessons
                                                                                     easily map to other
                                                                                     areas.
                                                                                     The value for your
                                                                                     job search is that it
There's always far more to learn than there is time to learn, so pick something that shows you have
interests you and dig into it. Don't worry if it's directly relevant to a particular initiative, and a
job.The value for you is developing your mindset, and a deeper understanding of developed skill in
some specific topic. Those lessons easily map to other areas.                        some area. A good
The value for your job search is that it shows you have initiative, and a developed employer will know
skill in some area. A good employer will know that you can apply that again in       that you can apply
other areas.                                                                         that again in other
                                                                                     areas.



                                                                                        Run!! Run Away
Security is about balancing risk with useability                                        Fast!!


                                                                                        If you want a career
                                                                                        in security why don't
                                                                                        you have one?

                                                                                        Security is and
                                                                                        should be involved
                                                                                        in every aspect of
It isn't as difficult to start. In 1 year I was able to learn enough to be considered   IT. If you don't have
"advanced."                                                                             a career in security
                                                                                        than it is because
                                                                                        you don't want one.
How important networking (people) would be, and how important a college degree
is.




                                                                                 Setup labs (with
                                                                                 VMs) and try to get
To learn more programming/scripting.                                             as much hands on
                                                                                 experience has
Start getting into hash cracking earlier.                                        possible.




                                                                                 again, i'm not sure,
                                                                                 since i'm still trying
i'm not sure yet, since i'm still trying to get my break.                        to get my break.
                                                                                    If you don't have
                                                                                    passions for
                                                                                    security, don't do it.
                                                                                    It takes large
                                                                                    amounts of
                                                                                    dedication to
                                                                                    succeed. Doing it
                                                                                    for the money won't
                                                                                    be motivation
Besides what ive learned in terms of skills, nothing. I had great mentors that made enough to get you to
sure I knew how it was, so there were no surprises.                                 the top of the field.

                                                                                     Learn and spend
                                                                                     time with the things
                                                                                     you are meant to
                                                                                     secure. If you are
                                                                                     IR, be an admin, if
                                                                                     you a pentester, you
                                                                                     need to know as
                                                                                     much about the
                                                                                     majority of stuff
                                                                                     you'll be attack as
                                                                                     possible. But it
                                                                                     comes down to
                                                                                     knowing inside and
                                                                                     out the things you
                                                                                     are meant to
Patience                                                                             secure.
                                                        1. Don't be a fucking
                                                        pretender, there's
                                                        plenty of them
                                                        around already. Do
Avoiding C at uni would make my life difficult later.   the hard yards.
                                                                                     Speak in fact.

                                                                                     Learn that it is ok to
                                                                                     say "I don't know".

Pick 1 direction e.g. (wifi or vuln scanning or leanring attack tools) get comfortable Build a
with it and them move on to the next direction.                                        lab/playground and
                                                                                       play. Play all day,
Its good to be through. It can suck trying to learn 10 things at once because though play for hours, seek
you are getting exposed to a lot you are also being spread quite thin.                 help.
                                                                                    Read a lot, practice,
                                                                                    have a pentest lab
                                                                                    or at least access to
                                                                                    one, destroy and try
                                                                                    to fix things, also,
                                                                                    understand how
                                                                                    networks work, a lot
                                                                                    of people don't
                                                                                    understand
I really can't say, maybe because I'm not 100% into security as I would like,       simple/basic things
because of the market I have to do other things and occasionally do security, but I like DNS, DHCP,
would have liked to have Backtrack 10 years ago, it would have helped me to get SMTP, HTTP,
more in dept knowledge.                                                             switch/hub, etc.




                                                                                    Get used to failure
                                                                                    and be able to
                                                                                    overcome it.
                                                                                    Security always
                                                                                    fails, it is more
                                                                                    important that you
                                                                                    know that it fails and
                                                                                    how you react to it
How much push back there is to spending budget dollars on security in general.      when it does.
This is a lifestyle not a job.                                        Try harder.


                                                                      start out as system
                                                                      admin...then a
                                                                      network admin or
                                                                      DBA, then get into
                                                                      security.

                                                                      If you start in
                                                                      security, you don't
                                                                      know the pains of
                                                                      being in IT. you
                                                                      have to crawl and
                                                                      walk before you
                                                                      run...security is a
                                                                      MAD SPRINT.....but
                                                                      it lasts as long as a
To program better, and more protocol level stuff                      marathon



Dealing w people                                                      Diversity in learning




                                                                      learn, practice, get
people dont take you seriously if you have never managed firewalls.   involved.




research and notes                                                    research everything
                                                                                        Show a basic level
                                                                                        of understanding
                                                                                        across multiple
                                                                                        disciplines;
                                                                                        networking,
                                                                                        programming,
                                                                                        Windows, Linux,
                                                                                        etc. - not all, or in
                                                                                        great depth, but
                                                                                        something other
                                                                                        than "I know how to
                                                                                        rebuild a Linux
                                                                                        kernel, but I've
People don't do security for a reason - it spoils their work / fun / ease of use. You   never touched a
need to temper all your suggestions for improvement with this in mind.                  switch".




                                                                                        Breath it. Don't just
                                                                                        read about it but get
Linux. I was very light on it then but now its my only OS.                              involved. Live it.




                                                                                        Non-technical skills
                                                                                        are also a
                                                                                        requirement ( ie, the
                                                                                        ability to related to
                                                                                        others, to
                                                                                        communicate, and
                                                                                        to be humble).
                                                                                        Also, I see some
                                                                                        beginners lack
                                                                                        focus and the ability
                                                                                        to concentrate for
                                                                                        long periods of time.
                                                                                        Are you skimming
                                                                                        the document or
                                                                                        actually digesting it?
                                                                                        First you get good,
Nothing comes to mind.                                                                  then you get fast.




                                                                                        Be curious and
There is no limit to evil                                                               persistent
                                                                             Genuinely want to
                                                                             do it for the rest of
                                                                             your career if not
                                                                             life.




                                                                             There is a lot more
How important programming can be. Also knowing that you can learn at least   to it than popping
something every single person you come in contact with through work.         boxes.




                                                                             Attend a SANS
                                                                             conference!
                                                                                    Dedicate yourself to
                                                                                    simultaneously
                                                                                    being both student
That the effort and stress is worth it.                                             and teacher.


                                                                                   Build a base in
                                                                                   another area first.
                                                                                   Could be
                                                                                   administration,
                                                                                   networking,
                                                                                   application or
                                                                                   database
                                                                                   management. Even
                                                                                   time spent in non-IT
                                                                                   positions could be
                                                                                   helpful. Having skill
I would have taken time to be a windows admin for a time to better understand that sets in other areas
operating system. I would have also picked up a few more programming               help after your in the
languages.                                                                         security role.



                                                                                    Keep your mind
                                                                                    open to the fact that
                                                                                    security is a wide
                                                                                    range of specific job
                                                                                    talents. Some
                                                                                    places ou can focus
                                                                                    in on one and others
                                                                                    you'll named to be
                                                                                    the "jack of al
Find a mentor                                                                       trades"


                                                                                    start as programmer
                                                                                    and then move to
i wish the internet was there when i started                                        security
                                                                                     Find your local
                                                                                     community & online
Community                                                                            community


                                                                                Touch on other
                                                                                areas of business
                                                                                and IT first.
                                                                                Database
                                                                                administration,
                                                                                System
                                                                                administration, web
                                                                                and application
                                                                                programming - even
I wish I would have expanded my system administrator role to also support       working in non-IT
windows operating systems. Having a strong base in the operating system you are environments is
attacking / trying to protect is extremely helpful.                             helpful.




Security consists of multiple non-technical areas including business process, risk
management, policy management, governance, compliance                                Know thy systems




                                                                                     Begin at the basics
                                                                                     and pay your dues,
                                                                                     you will get there if
That the basics of networking, programming, and systems admin would be so            you love what you
helpful later on                                                                     do.
                                                                                       Focus first on
                                                                                       understanding the
                                                                                       technology you're
                                                                                       assessing
                                                                                       (especially for vuln
                                                                                       assessing or
                                                                                       auditing). Without a
                                                                                       deep understanding
                                                                                       of common
                                                                                       implementations, it
                                                                                       is impossible to
                                                                                       convincingly
Spend as much time polishing your professional presentation as you do technic          describe the
skills. In particular when seeking employment, speaking skills (and to a certain       security risks you
extent writing skills) are as valuable as technical capability, regardless of the      encounter
position.                                                                              otherwise.




Since i'm still a student I regret that I didn't start a blog a bit earlier for self
promotion. I also just got a twitter account




                                                                                       Learn whats going
                                                                                       behind the tools you
How to actually prevent attacks as opposed to just trying them out.                    are using
                                                 Its a field of people
                                                 who have incredible
                                                 drive and passion.
                                                 You've got to exhibit
                                                 the same things or
Operations experience is really helpful.         you wont make it.

                                                 Take a CISSP
                                                 course - it provides
                                                 exposure to the
                                                 wide range of topics
                                                 that make up
                                                 information security.
                                                 Don't worry about
It takes a lot of research time to do the job.   the certification.
                                                                                   Make sure you are
                                                                                   getting into security
                                                                                   because it is
                                                                                   something you
                                                                                   enjoy doing and not
                                                                                   because you think it
                                                                                   will get you a fat
I wish I truely understood the level of "not caring" that management has towards   paycheck or
information security when I started in this position.                              because it is "cool".
                                                           Have a passion for
                                                           security - its much
                                                           to draining if it is
                                                           "just a job." There's
                                                           easier IT pursuits to
                                                           follow if you just
                                                           want a paycheck to
                                                           "work with
Learn to handle conflict. Infosec is all about conflict.   computers."
Don't outsource IT as you get cheap people doing what they think is IT.
Many times you have nice secure designs and procedures which are then let down
because of some outsourced junior IT support person thinks he knows better than Learn how systems
someone with years of experience.                                               work together in
                                                                                depth.


                                                                                    Seek out others in
                                                                                    the community,
                                                                                    learn from them, but
                                                                                    don't annoy
                                                                                    them/hang on them.
                                                                                    Take any training
                                                                                    you can get your
                                                                                    hands on/afford, but
                                                                                    if budget is tight,
                                                                                    attend hands-on
How much I could have learned from the other professionals (a few in particular) if training such as Red
I could have dedicated more time                                                    Hat and OffSec
                                                                                     Start out in 'the
                                                                                     trenches'. I think
                                                                                     even though the sys
                                                                                     admin work seems
                                                                                     unrelated it's
                                                                                     invaluable to know
I have never been a good programmer, nor have I ever wanted to be.                   how things 'work' in
                                                                                     a administrative
Knowing now how important it is to be able to read and analyze exploit code, to be organisation.
able to compile the code, change it to your needs and iron out any faults is proving
more valuable then I could have ever imagined.                                       Furthermore: learn
                                                                                     some programming,
Knowing what I know now I would have put in more effort earlier to be able to gain dammit! You'll get
at least some basic programming skills.                                              more value out of it
                                                                                     then you can
And I would say the same about databases...                                          imagine.




                                                                                    Make sure this is an
                                                                                    avocation as well as
                                                                                    your vocation if you
                                                                                    wish to be
                                                                                    successful. And
                                                                                    build a lab to learn
                                                                                    how to and them
In the U.S. at least, clearances and background checks would be ubiquitous even     have something to
in civilian work.                                                                   experiment with.
                                                                                       Find someone
                                                                                       already in the field
                                                                                       (4 - 5 years or more
                                                                                       experience) to
                                                                                       mentor you. Most of
                                                                                       my peers, myself
                                                                                       included, are very
                                                                                       happy to pass on
                                                                                       our experience and
                                                                                       act as a sounding
                                                                                       board for you ideas.
                                                                                       Your mentor would
                                                                                       not be able to
                                                                                       discuss proprietary
                                                                                       specifics with you
I wish there had been training available when I got started in the security field. I'm but generalities
now doing mostly management but still keep my technical skill up by taking at least around an issue or
one training course a year and attending one conference a year.                        idea you have.
                                                                                       Pick another field in
                                                                                       technology, then
                                                                                       another, then
                                                                                       another. Security
                                                                                       shouldn't be the
                                                                                       start to anyone
                                                                                       unless you are a
                                                                                       computer wizard,
                                                                                       who speaks in C,
                                                                                       dreams in shell and
                                                                                       runs OSS on
                                                                                       everything including
                                                                                       your kitchen
                                                                                       appliances. Security
                                                                                       is a well rounded
                                                                                       perspective of how
                                                                                       to and not to, to be
                                                                                       able to do that you
                                                                                       have to have had
                                                                                       some practical
There is no substitute for work, doing it yourself. Whether for fun, learning, or      experience that will
professionally it doesnt matter. Build and break everything before you open your       back you up when
mouth to question anything.                                                            you need it.



                                                                                     Don't do it just for a
                                                                                     job. It's a way of life.
                                                                                     Once you're off the
                                                                                     clock you still must
                                                                                     enjoy doing the job
The value of just sucking up the need to get the CISSP. I resisted getting any certs if nothing else, for
initially and it hurt in interviews later in life. HR really likes them.             yourself.




                                                                                       Learn to program
                                                                                       and start
                                                                                       understanding the
                                                                                       computer's
                                                                                       hardware and the
The importance of programming and low-level languages (assembly). Also, to             relationship with
understand the interaction of the CPU, memory, and software.                           software.
What basic knowledge and skills should I have as a foundation.        A strong foundation
What courses are recommended.                                         is key!
                                                                      start a project, stick
                                                                      with it until you're
                                                                      the best in the world
                                                                      at that particular
client relationship stuff                                             thing.




                                                                      Get some
                                                                      experience first,
                                                                      preferbly server /
                                                                      network admin and
                                                                      learn how to
                                                                      program to solve
                                                                      everyday problems
Python programming                                                    helps.




                                                                      Get good at
                                                                      development,
                                                                      develop something
                                                                      and release it, then
                                                                      secure it.
                                                                      Be vocal, do
                                                                      writeups. It forces
                                                                      you to publicize
                                                                      what you find, and
                                                                      how you think about
It takes alot of time to get good, spend it now, or spend it later.   it.
I am starting out!                               Learn learn learn!


                                                 get in the field is
                                                 always difficult, you
                                                 can start low and
                                                 work your way up.
                                                 But you have to
                                                 keep developing
                                                 yourself due to the
                                                 fast growing
Certificate will help you to get in the field.   industry.



                                                 Learn another skill...
                                                 Unless you are very
                                                 high end you will be
                                                 replaced by insurers
That pen testers are hated by everyone           and audit types

                                                 He or she has to be
                                                 more specific on
                                                 one field since the
The top 10 vulnerabilities from owasp.           security like ocean.
                                                                                      Make sure you have
                                                                                      a foundation first
                                                                                      that is based around
                                                                                      'defence-in-depth'
                                                                                      methodology. Just
                                                                                      because you know
                                                                                      firewalls really well
                                                                                      doesn't make you
                                                                                      good at security.
                                                                                      Take a look at all
                                                                                      aspects, both
                                                                                      proactive and
                                                                                      reactive, before you
                                                                                      even begin to
                                                                                      consider yourself
                                                                                      skilled. Doesn't
                                                                                      mean you have to
                                                                                      be a SME at
You really have to make a choice early on what you would like your role to be.        everything, but it
Meaning, if you're goal is to be a hardcore pen tester, go down that path. Just don't does help to have at
expect to be management anytime soon, because if it takes that much skill to be       least a general
hardcore, it takes all that x10 to manage a team.                                     understanding.




                                                                                     Setup some VMs,
                                                                                     start figuring out
                                                                                     how to attack and
Better telecomunications                                                             defend.
                                                  Think globally, act
                                                  locally


                                                  Self-study and take
                                                  advantage of the
                                                  resources that are
                                                  easily available on
                                                  the Internet.
                                                  BackTrack,
                                                  OWASP's
                                                  WebGoat, Damn
                                                  Vulnerable Web
                                                  App, etc. You
                                                  should always be
                                                  looking to self-
                                                  improve, expand
                                                  knowledge and
                                                  skills, read/research
                                                  current topics. You
                                                  will also develop
                                                  "soft skills" that will
                                                  be extremely
                                                  valuable: how you
                                                  want your output
                                                  formatted for
                                                  reporting, how best
                                                  to parse output data
                                                  to make it useful,
                                                  what to include
                                                  when reporting, how
                                                  to store output data
Being able to write a good report is paramount.   for re-use, etc.
                                                                              Practice, practice,
                                                                              practice. Thats all
                                                                              you gotta do.
                                                                              Practice what your
                                                                              good at till your
                                                                              great at it.And then
Basic Network Topology and the breakdown of your Computer's hardware piece by focus on some of
piece.                                                                        the other areas.




                                                                               get to one of those
                                                                               good conference if
                                                                               possible, and see if
politics in the business arena                                                 you're interested




footprinting more on Scanning and enumerating and also Metasploit and wifi
Penetration                                                                    explore
                                                                            Learn everything.
                                                                            Learn as much as
                                                                            you can get your
                                                                            hands on. Then do
NSA has a list of centers of academic excellence in information assurance   it, set up a lab and
education.                                                                  practice it. Don't just
http://www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml                 read about it.




                                                                            you have to love it
                                                                            and live it 24 hrs a
assembly                                                                    day




                                                                            if you do not
                                                                            ADORE security,
                                                                            find yourself another
pentesting is not just whacking boxes                                       job.
                                                                                    Don't get into
                                                                                    security because
                                                                                    you think its the cool
                                                                                    thing to do at the
                                                                                    moment. get into
                                                                                    security only if you
                                                                                    have a passion for it
                                                                                    and it was originally
                                                                                    one of your hobbies.
When i first started out, i tried to be a jack of all trades and master of none. In If you get into this
security, it is in my opinion impossible to be a master in all that encompasses     field just for a
security. I would recommend to anybody starting out, gain a solid base knowledge paycheck, then you
base and then find what you really enjoy in security and master that topic alone.   can expect to get
For example, if you really enjoy wireless technology, learn all you can about that  burned out. This
topic make that the foundation of your security portfolio. IF you try to master all field has to be your
topics, you will get overwhelmed.                                                   passion.




                                                                                     Start slow.
                                                                                     Understand
                                                                                     networking in all
                                                                                     forms, it's the future.
                                                                                     Knowing how data
                                                                                     flow works is
There are always ways around HR crud. Stand out, do something with your spare paramount to
time. If you want to succeed in this industry you have to want to do it. Get to know understanding
everyone and be nice to them, it's a small small community.                          higher concepts.
                                                                                     Be curious. Set
                                                                                     stuff up, try to break
                                                                                     it, understand it, and
                                                                                     figure out how to
                                                                                     make it better.
                                                                                     Don't have an ego,
                                                                                     Learn good social
                                                                                     and written skills
Try not to upset anyone in the industry or customers it's very small in the UK and   they are as
chances are you will end up working with people many times during your career        important as
regardless of the company you work for.                                              technical skills.




                                                                                     Do for the love of
                                                                                     the job / hate of
                                                                                     attackers / batman-
                                                                                     like need to protect
                                                                                     the world. Don't do it
                                                                                     for the money, fame
                                                                                     or women... you'll be
Everything covered by the CISSP                                                      disappoint.
                                                                            Get some solid sys-
                                                                            admin experience.
                                                                            Too many times I
                                                                            see security
                                                                            professionals
                                                                            making wild
                                                                            recommendations
                                                                            about improving
                                                                            security without
                                                                            having a good solid
                                                                            understanding of
                                                                            how the techologies
                                                                            work, and why they
                                                                            might be deployed
                                                                            in the state they are
                                                                            currently in.

                                                                            This also helps
                                                                            when attempting to
                                                                            find weaknesses in
                                                                            systems. Without a
                                                                            good understanding
                                                                            of the shortcuts
                                                                            sysadmin's use,
I wish the tool maturity had achieved this level when I was starting out.   juniors have no idea
Backtrack,Metasploit,Nessus,etc are all good, stable products which make    where to start
learning about the different attacks and techologies much easier.           looking for holes.




Not to get married the first time                                           Be a self starter
Security isn't black and white. It's more like a linear function of many variables,
each representing someone's agenda. And of course, each having different              Drop it. No money
coefficients. And yours most probably is not the largest one.                         here.




more asm/coding/reversing skills. I wish i knew more honest opinions about certs,
ie i might not have spent my training budget on CEH as I don't feel it was good
value for money.

I wish i knew how to convey risks to senior managers/directors without scaring
them, and using terms they will understand.                                        Keep at it! learn as
                                                                                   much as you can.
I wish there were more mentor programs, or people/contacts that were willing to    Focus if you want
give me advice outside of the company, i'm talking about established security pros become an expert in
here.                                                                              one area.




                                                                                      be patient but
metrics matter                                                                        unrelenting




Programming.                                                                          Learn to code.
                                                                                   Get a personal lab,
                                                                                   buy toys. Poke a
                                                                                   stick at things. Do
                                                                                   what you would do
                                                                                   for a career at home
                                                                                   to the best of your
                                                                                   abilities. ie: Run
                                                                                   VLANs and a
I should have competed SOME sort of College/University. Even if It was a different Firewall - Guest
subject then the one I started. Even move to something that I thought was bellow Wiressless access,
me.                                                                                servers, VMs..




                                                                                  Get as much
                                                                                  experience as
                                                                                  possible whenever
                                                                                  and where ever you
Degree in this area is almost useless. Much more about certs and experience.      can.
                                                                                Learn everything
                                                                                you can about all
                                                                                areas of IT.
                                                                                Information Security
                                                                                impacts, and is
                                                                                impacted by, them
Learning to script and program is important, and will help you along the way.   all.




                                                                                You can never stop
                                                                                learning. Ever.
                                                                                This is not an easy
                                                                                career but if you
                                                                                have the energy for
                                                                                it, it can be very
                                                                                rewarding.
                                                                                 Do not get into
                                                                                 security if you want
                                                                                 the business to love
                                                                                 you, sometimes you
                                                                                 will be saying stuff
                                                                                 they do not want to
                                                                                 hear. Stay strong,
Not every question has a right answer, sometimes people just want your answer.   stay passionate.



                                                                                 security principles
                                                                                 apply to all including
                                                                                 you so live what you
no matter how much you know about security...you don't know it all               preach
                                       Lean as much as
                                       you can, attend
                                       cons & classes, visit
                                       sites with security
                                       tutorials (ex.
                                       SecurityTube.net,
                                       Corelan.be, etc).
                                       Get in IRC and on
                                       twitter to interact
                                       with the InfoSec
I wish I had spent more time coding.   community.
                                               Is it OK to
                                             "practice" on
                      Is there anything    sites/companies                            Which
                       you feel you did          without                        conferences would
 What do you see       wrong that you      permission if you                     you recommend,
as the next up and      would advise         don't do any      Are conferences    and if possible,
  coming area?             against?             damage?        worth attending?        why?




                     The grass may not
                     always be greener no, there are plenty
                     at another company of practice
                                        areas/lab, dont piss
                     and dont remove a off a sec admin like
Quickers, smaller    firewalls default  yourself by                             Defcon, might as
and more blue        route during       triggering all his                      well go with the
blinking lights      business hours     alarms.              Yes                biggest.


                                                                                Not been to lots so
                                                                                can't really say.
                                                                                Bsides seems to
                                                                                have the best user
                                                                                experience, and I
                                          No.                  Yes              got a lot from it.


                     yes , educate users
                     first and than                                             black hat
                     implement security                                         conference,
                     measures            NO                    Yes              DEFCON




                     Not sure - "fate"
The world always     somewhat pushed
needs good           me into where I am
programmers :)       now.                 No! ...Hell no!      Yes




Mostly more of the   lacking on the                                             Derbycon
same.                certifications.      Which company?       Yes
                                                                          DerbyCon, because
                                                                          it's a great place to
                                                                          rub elbows with the
                                                                          elite members of
                                              No. It is not okay to       this group without
I've been in                                  practice. There are         feeling like you have
HealthIT for many      I didn't get to know several other ways            to be a rockstar to
years. With all the    more people in the to practice including           meet them. I met
legislation around     industry when I was setting up your own            Kevin Mitnick, Dave
electronic health      at DerbyCon. Just lab. Facebook just               Kennedy, Adrian
records, this is       go up to people and sent a student to jail         Crenshaw, and
going to be a huge     start talking to them. for practicing on           others even though
issue for many orgs.   Don't be scared.       their network.        Yes   it was my first con.



                                                                          Shmoocon, First
                                                                          talks of the season.
                                                                          Brings in new blood
                                                                          with new ideas
                                                                          Any bsides
                       I compare myself                                   available- Always
                       against the "rock                                  going on, free, fresh
                       stars" and make                                    ideas
                       myself feel I know                                 Defcon- Culture
                       nothing in                                         experience. See lots
                       comparison.                                        of people you dont
                       Everyone has their                                 see otherwise.
                       niches and                                         Derbycon- Last year
                       everyone can                                       was a great start,
                       contribute from all                                good speakers and
                       levels.               Not in my book.       Yes    format.



                                                                   Yes
Mobile forensics     Not be as
and exploit          concerned with                     Never been, but
development.         anonymity.       Bob maybe, me no. want to go




                                      Yes. This is a
                                      morally gray area,
Social networks in                    but I feel like it's ok
coorporate                            to "practice" if no
environments.                         damage is done.           Yes
                                                                      Blackhat, Great
                                                                      training
                                                                      /Defcon, it would
                                                                      take too long to
Total integration.                                                    explain why this is a
                                                                      classic and a must
Social engineering,                                                   Brucon great
system knowledge,                      No                             workshops
Business                                                              CanSecWest,
knowledge, Social Not really, Mistakes Create your own                Bsides, Derbycon,
knowledge,          are important      practices lab            Yes   CCC


                                          Not at this time and
                                          day. Maybe pre-2k1
                                          it was (barely). If
                                          you "practiced" on
                                          any serious places
                                          (serious = with
                                          decent security) and
                                          are still able to read
                                          this congrats - you
                                          have some
                                          expertise that your
                                          "rank and file ethical
                                          hacker" will not be
                                          able to match.         No

                                                                      Only got to
                                                                      BSidesLDN so far.
                                                                      Reviewing material
Mobile devices are                                                    from other cons post
going to cause                                                        event always leaves
problems, but        Don't assume you                                 interesting material,
mostly the same      can't do something,                              by far most useful
problems already     even if you're right Only if you want a          aspect of cons
encountered in       you'll learn and     new 'room-mate'             seems it be
other formfactors    develop by trying.   called Bubba......    Yes   [lobby|corridor]-con.


                                                                Yes
                                                                                          I have never
                                                                                          attended a security
                                                                                          conference, though I
                                                                                          would really like to.
                                                                                          My experience is
                                                                                          from sending my
                                                                                          team members to
                                                                                          them. Most talks will
                                                                                          end up on Youtube,
                                                                                          so don't go just to
                                                                                          attend the talks.
                                                                                          There are plenty of
                                                                                          low-cost
                       Don't go directly into                                             conferences: don't
                       pentesting without                                                 waste your money
                       spending time on                                                   on Black Hat, etc.
                       the defense side, or                                               Get involved in
Probably something development, or                                                        online community
that sounds boring administration. My                                                     (Twitter, IRC, etc)
to most people.        knowledge is a mile                                                and see where the
Nobody gives it        wide, but an inch                                                  interesting people
attention until        deep, so I waste a                                                 are going.
someone is             large part of each                                                 DerbyCon was an
passionate enough pentest engagement                                                      amazing start-up
about it to improve learning some                                                         last year and looks
it, then everyone will particular                                                         to be a great
spin up in a           technology,                                                        pentest-focused
hurricane of           language, business                                                 con. Don't rely on a
buzzwords and          practice, etc. Ideally,                                            name and history
exploits, throwing     I would have a team                                                alone: research the
money left and right. of people who have                             Only for the         speakers and see
SCADA! Mobile!         that depth in                                 networking aspect,   who's attending. Go
Embedded! Web!         different areas.        NO.                   see below            to make contacts




                      I spent entirely too
                      much money on
                      crappy training and
                      worthless
                      certifications.
                      Buying (well-
                      reviewed) books is
                      almost always worth     I would avoid this.
                      it, but good training   You aren't doing
                      is few and far          damage until you
I see the next area   between. Its hard to    are - and then its                          Defcon, Shmoocon
for enterprise        turn down "free"        too late. There are                         and a different small
security being        training, but make      plenty of free sites                        con (like Bsides) a
PowerShell and        sure its worth the      with challenges for                         year is a good
HTML5.                opportunity cost.       practicing.            Yes                  recipe.
                                                                    A combination of
                                                                    hacker and
                                                                    defender
                                                                    conferences to get a
                    Vulnerability                                   balanced
                    disclosure is tricky,                           perspective on the
Mobile device       and should be                                   problems and the
exploitation        handled carefully.    No                 Yes    solutions.
                                          As long as no laws
                                          were broken, such         BSidesLondon -
                                          as gaining                Networking, cost,
The mass adoption                         unauthorized              talks, openness
of Static Code      It is always wrong to access and your           BruCON -
Analysis, including assume, especially intentions were non          Networking, cost,
Hybrid Analysis.    in computing.         malicious.         Yes    talks, location




                                                                    Any con that has
                                                                    training relevant for
                                                                    your field, take it
                                                                    and meet the
                                                                    people.
                                                                    I think a big part of
                                                                    success in this field
                                                                    is being able to help
                                                                    others and get help
                                                                    from others when
                                            Define practice   Yes   needed
                                               No. Get that kind of
                                               black mark against          I have only been to
                          I didn't get my head your name an no             a few "real" cons,
Wireless. It it getting   in the technical     reputable employer          but BruCON,
lots of penetration       books after enough. will touch you with a        BSIDESLondon and
and as a subject          I waited before I    10 foot pole. Also          dc4420 were all
can be very difficult     approached the       be prepared to              very useful. Not only
to pick up without        infosec community loose those certs              for content but for
some understanding        for fear of being    you spent all that          networking. Local
of the physics            called a n00b. I     time an money               2600 groups could
involved. Try             didn't get into this getting. And you will       be good as well.
hunting down a            business early       never work for any          The trade shows
rouge AP some time        enough in my         branch of                   like InfoSec do not
;)                        career.              government.           Yes   add any value.




                                                                           Bsides, defcon
                                                                           because they are
                                                                           cheap, accessible
                                                                           and Black Hat panel
Crypto lots n lots of                                                      who picks the talks
crypto                no                       no                   Some   sucks.
                         General advice:
                         Don't get an ego
                         and don't
                         exaggerate your                                    Black Hat, Defcon,
                         claims. There are a                                Any BSides,
                         lot of highly                                      ShmooCon,
                         intelligent people in                              DerbyCon,
                         our industry and you    No, there are              SOURCE, “Hallway
                         can expect any          enough places to           Con”. These are all
It's difficult to say. I claim to be             hone your craft            great learning
believe our industry scrutinized. The last       (labs, bug bounties,       opertunities and it’s
is too dynamic to        thing you want is to    etc) that you don't        a great way to meet
make any accurate end up the Errata              need flirt with the        like-minded
predictions.             page at Attrition.org   law.                 Yes   proffessionals.
                                                                            Blackhat, CCC -
                                                                            presentations
                                                                            provide insights into
html5, virtualization cissp - 10 miles                                      cutting edge
& Cloud, mobile-      wide, 1 inch thick,                                   technologies and
based technologies and proves nothing. no.                           No     techniques
                                                                            SANS (any)
                                                                            because of the
                                                                            amazing security
                                                                            pros that you can
                                                                            meet and network
                                                                            with.
                                                                            Derbycon because
                                                                            it's a smaller
                                                                            conference and
                       No, but I suggest                                    even more
web apps and           building a lab and                                   opportunities to talk
mobile devices as      practicing in a lab                                  one on one with
attack vectors         environment               NO                  Yes    security pros




                       Over estimating an
                       auditor's intelligence
                       and understanding                                    Conferences are
Mobile devices.        of network security. No.                      Yes    great to get CPEs.
I started out with a
plan to go to college
to earn a degree in
Computer
Engineering. Along
the way, I started
working in the
computer industry
on the side. I
started making
decent money, and
that distracted me
from finishing
school. Now, I'm
working to finish my
degree with a family                                 I think most of the
and a full-time job. I                               major ones are
wish I had just went     It's not ok. There          beneficial. Not only
ahead and finished       are lots of resources       for learning, but for
my degree and            available to practice       networking with
been done with it.       on.                   Yes   people.
                    The million dollar
                    question. Even
                    damage these days
                    can be considered
                    the cost and effort
                    to perform analysis
                    to prove you did no
                    wrong.

                    If in doubt and if non
                    invasive means give
                    indication of an
                    issue contact the
                    site/company first.
Didn't study any    You never know,
useful modules at   that may be your
uni.                route in.              Yes
                                                             Networking,
                                                             networking,
                                                             networking!

                                                             I get a lot of value
                                                             out of DEFCON.
                                                             The concentration
                                                             of approachable
                                                             industry superstars
                                                             is fantastic.I do
                                                             attend as many
                                                             talks as I can, and
                                                             learn a great deal in
                                                             the process.
                                                             Whether my
                                                             employer is willing
                                                             to pay or not, I
                                                             haven't missed this
                                                             one for a the last
                                                             few years. Watching
                                                             as many geeks in
                                                             Vegas alone is
                     I try to take a class                   worth the time. ;-)
                     each year.
I hope application   "Security" is much                      Local conferences
security gets more larger field than                         and gatherings are
visibility. We are   people give it credit                   great. I don't learn
making more and      for, and you should                     as much, but it's
more data available know a little about                      helpful to network
on the Internet, but as much as you                          with those
not doing a good job can. I wish I started                   geographically
as securing the      this early and could                    close.
portals to it.       be more consistent. No            Yes




                    Do not let rejection
                    make you feel
                    hopeless. For me at
                    least a smaller
                    company was more
                    willing to take a
                    chance on me
                    purely because I
Mobile device       had passion and                          DerbyCon and
security            was willing to learn. No comment   Yes   Bsides
                                        No! "damage' is a
                                        relative term - if the
                                        company has to                BlackHat and
                                        spend resources               DefCon at least a
                                        responding to alerts          few times to get a
                                        that you cause or             feel for the industry
                                        tracking down what            and build a network.
                                        you did, it still takes       CanSecWest,
                                        time and money.         Yes   BSides


                                                                      I have never been
                                                                      to a con because
                                                                      the larger cons are
                                                                      very expensive, not
                                                                      easy to get a ticket
                                                                      to as they sell out
                                         It is ethically or           quickly, not close to
                                         morally ok to "test"         where I live, cannot
                                         on someone else's            get my employer to
                                         property without             pay for me to go to
Supply chain risk                        their permission as          a "hacker
assessment, aka                          you may never                conference" let
hardware and/or                          know effect you              alone take time off
software analysis to Not focusing on one have on heir                 work. There are a
prevent malicious or area at a time to   business as actions          few events n NOVA
even poor QA from grow or build on my you perform may                 but they intimidating
vendors injecting    knowledge base      leave gaps that a            for someone who is
vulnerabilities into from networking to malicious person              new to this fielsd
enterprise           programming to OS could use against              and don't know
infrastructure       security            that company         Yes     anyone




                   Learn an internet,                                 DefCon
                   interpretive                                       Shmoocon
Mobile and Web 2.0 programming                                        DerbyCon
technologies       language             No.                   Yes     BruCon
                                            Actively attacking
                                            sites is a big no
                                            no.... however
                                            looking at traffic,
                                            and how sites
                                            function isn't. Also,
                      Hindsight is 20/20... some issues can
                      If I could pick one   only be exposed
This changes every thing I would do         and confirmed by
week.... ignore what differently, it would using a small                                 BSides* (Any and
the next up and       be to get started     amount of playful                            all...)
coming thing is, and coding and             and creative                                 DefCon (if only to
make sure you get understanding code thinking.                                           meet with
your basics down!     much much sooner.                                                  interesting people)
The next big thing is No excuses, just do Lets just say, it's a                          BruCON (good mix
good fundamentals! it!                      grey area ;)            Yes                  of people and info)




                     Don't focus on tech
                     because it's easier
                     than the people
                     stuff. Unless you're    No.
Soft skill           protecting actual
communication with people, everything        There are tons of
management and       you do is useless       free learning
accounting.          twiddling of bits.      systems out there
                     Remember that           (Metasploitable,
We have enough       people matter and       WebGoat, etc).
tech. We need to     grow to love the        Also, there is no      Yes, if you go to talk
get better at        messiness and           way to guarantee       with people. No if
convincing others to uncertainty of          that you won't do      you just attend        Small cons like
use it properly.     dealing with them.      damage.                sessions.              Shmoo or Derby.
                                                                             ShmooCon
                                                                             Defcon
                                                                             RSA
                                                                             BSide of any locale
                                                                             Derbycon
                                                                             Toorcon
                                                                             Blackhat

                                                                             Good networking
                                                                             opportunities,
                      DO NOT RUSH                                            chances to learn
                      THINGS. Don't jump                                     about the current
                      right into a security                                  state of security,
                      engineer role. Start    No. Never. Not only            being surrounded
                      in low and absorb       is it illegal, but since       with people of all
                      as much knowledge       you are still                  walks to develop
                      as possible. Don't      "practicing," it               new ways of
                      expect your             means that you                 thinking, employee
                      employer to invest      don't completely               morale boosting.
Mobile device         in you. A lot of the    know what you are              Most importantly,
security/developme time, you'll be            doing. You could               staying current on
nt, "cloud" security, spending your own       seriously break                the events of the
healthcare infosec, money attending           something and                  security world is
and web app pen       training, cons, and     cause a DoS or                 critical for security
testing.              other events.           worse.                   Yes   professionals.
                         Get all your skills,
                         practicing, learning
                         in when you are
                         younger w/ no
                         children. I currently
Incident Response -      have kids, trying to                                Depends on focus...
it has always been       complete college,       Depends. If you are
there...but I think we   and develop             doing just                  Blackhat
will see a blend of      professionally and it   intelligence                BSides
those                    is hard, really hard.   gathering...practicin       HTCIA -
pentester/forensic       Really my               g pre-attack                Forensics/IR focus
skills really come       professional            operations then it is       ISSA - Good for
together and             development has         ok. Actually                networking (light on
redefine the Incident    gone way way            compromising is not         technical stuff)
Responder position.      down....                OK.                   Yes




                                               ethically sure,               SANS, Blackhat,
cloud security.          left college to work. legally not so much. Yes      Defcon.


What we're currently
calling "mobile
computing". Smart
phones, tablets, and
other small devices
(mostly running
proprietary, "walled
garden" OSes) will       I was less kind than
become                   I could have been in
"computing" for 98%      many
of the population.       circumstances.       Absolutely not.         Yes
Social Engineering
which also helps in    Nothing really        Only if you want to
everyday life and      tangible that I can   kill your infosec             Local BSide cons
your career.           describe here.        career.               Yes     and Derbycon


                                             This is two fold I
                                             think. It isn't ethical
                                             to "practice" on sites
                                             you do not have
                                             permission to do so.
                                             However, if the
                                             techniques are
                                             known not to                  I feel the
                                             damage the sites              conferences you
                                             availability then it          attend should be the
                                             shouldn't be an               ones with talks on
                                             issue. Besides, if            topics you are
Mobile security is a                         the system admin is           interested in.
huge issue that                              any good they would           Because of this
needs to be solved                           be able to block the          there aren't any
as well as refining                          offender giving them          specific cons that I
the SSL trust model.                         valuable practice.      Yes   would recommend.




                                                                           DefCon - 4 days of
                                                                           awesome content
                                                                           and crazyness.
                                                                           Gives a very good
                                                                           but varied intro to
                                                                           the world of
                                                                           security.
                                                                           Brucon - Because it
Near Field                                                                 simply rocks. Small
Communication and                                                          crowd but awesome
SCADA (shudder).                                                           content.
We haven't seen                                                            Shmoocon
the last of web      Probably more than                                    CCC
application security I'm willing to admit                                  Derbycon
either.              in a public forum :) No. Never.               Yes     Recon
                                                                    Yes




I believe the cloud
computing industry      Perhaps making the                                 Infosecurity Europe.
is nearing              occasional                                         BCS events (which
saturation, contrary    statement in the                                   are held around the
to popular belief.      past without fully                                 UK). Also keep an
We're likely to see a   researching the                                    eye out for any tech-
substantial growth in   topic. Infosec       Definitely not.               related events
mobile security and     professionals can    Everyone has a                happening locally,
anti-malware            and do get called    right to privacy and          and even
solutions.              out on that.         security.              Yes    Hackspaces.

                                                                           InfoSec Europe.
                                                                           Huge exposure to
                                                                           trending technology
                                                                           (usually) with a
                                                                           broad
                                                                           representation from
                                             No. By 'practice' it is       the industry. Good
                   'Pot-holing' -            clear that the                speaker sessions.
                   concentrating on          practicer is not fully
HTML 5 bedding in, HMG infosec rather        accomplished                  I'm sure there are
network aware      than expanding to         therefore may affect          others but I've not
malware on mobile the commercial             the operation of the          had the opportunity
devices.           sector.                   server.                 Yes   to attend.




                        Find the areas in
                        your org that can be
                        shored up without
                        significant business
                        disruption. Educate
                        people about risk
                        and win them to                                    ShmooCon - in the
BYOD                    your side.           Of course not.         Yes    weeds research.
Testing of all the
expensive vendor
security controls.
Many times
pentesters ask to be
whitelisted in order
to speed up testing.
This makes a
pentest far less
valuable to the
client. I believe in
the future we will                            Hell No. There are         Def Con - The sheer
see many more                                 enough practice            number of people
"ring the bell" and     I never went to       web sites, linux           you meet is
"Capture the Flag"      college or have any distros and web              worthwhile
type pentests which     certifications. I got apps out there to          Shmoocon - Great
will not only find      lucky and didn't      test on. There is no       talks and lots of the
security holes but      need them but in the excuse for live             "real" infosec people
also security control   real world education pentesting with out         Derbycon - Because
misconfigurations.      matters.              permission.          Yes   I am a founder :-)



                        Don't specialize in Depends on how
                        just one OS/system, you do it.
Cloud security          be a generalist.    Sometimes it's OK. Yes       Shmoocon




                        Try and get in early
"cloud" security, or    in your career. Pick                             44Con, B-Sides
more accurately         a path and stick to it                           London. Primarily
better securing         - if you can, hackers                            due to the limited
disparate private       can somewhat fickle no. Set up your              availability of cons
WANs                    :)                     own lab.           Yes    in the UK.
                                                                 Yes   Def con, infosec

                                                                       DerbyCon - It's an
                                                                       intimate con where
                                                                       you can actually
                                                                       speak with the
                                                                       smart people in the
                                                                       industry.
                                                                       BlackHat - If you're
                                                                       looking to move into
                                                                       the corporate world,
                       Trying to learn                                 this is where you'll
                       everything. Having                              find all the suits
The further rise of    dozens of books on                              Defcon - Because
web application        dozens on topics is                             everybody goes
hacking and the        nice but ultimately                             Shmoo - The con
decline of memory      useless without                                 that everyone wants
corruption exploits.   focus.              NEVER                 Yes   to go to



                                                                       Each conference
                                                                       has its own good
                                                                       talks and useless
                                                                       talks. I would prefer
                                                                       either to attend a
                                                                       wide range of
                                                                       conferences (which
                                                                       is too expensive, so
                                                                       practically
                                                                       impossible for
                                                                       starters like me) or
                                                                       there are always
                                                                       videos of
                                                                       conferences on the
                 Getting into                                          internet. I do the
                 consulting                                            latter and attend
                 (penetration testing)                                 only one conference
                 right after Masters                                   a year (whatever my
                 helped.. but only for                                 company sponsors).
                 a while. I would                                      Listed below are the
                 highly recommend                                      few good ones I
                 software                                              have come across
                 development/sys                                       based on talks I ve
                 admin kind of             Nope. Its not OK.           seen online:
malware and      experience before         P.S: err... hackers
embedded systems consulting. I felt that   got to be effing            - BH + Defcon
security (more   would have greatly        Ninjas! think like          - Shmoocon
geared towards   helped me right           one..act like one.!         - Derbycon
SCADA)           now.                      :P                    Yes   - OWASP Appsec
                                                                     Security specific
                                                                     conferences are
                                                                     helpful to an extent
                                                                     especially if your
                                                                     role requires you to
                                                                     be on the forefront.
                                                                     But conferences
                                                                     that relate to
                                                                     products in use or of
                                                                     future procurement
                                         Passively - maybe.          may also be
                                         Analyse public code         beneficial as you get
                                         for education. Look         to experience them
                                         but don't touch. Any        before the rest of
                    Don't throw away     attempt to 'test'           the world does
                    opportunities. If    security, in any form       giving you the edge
Mobile devices.     some one invites     of the word, without        in terms of finding
Securing the BYOD you to an event with permission can be             the holes first. As
(bring your own     industry personal,   taken as a threat by        I'm still a student, I
device) in the      make time and go. the victim and their           can't say I've
enterprise.         Be proactive in your reactions, if they          attended any
Managing the risk   learning, send       find out, may not be        specific conferences
and asserting       emails, ask          as you expect. At           that may/maynot
ownership over      questions of the     best let them know          have helped
company data in the people who do it for of any exploits you         myself/clients
wild.               a living.            may find.             Yes   security potential.



                    yes, wasting time                                black hat
smartphones, of     with computers and you must be kidding           ccc congress
course              less with girls :-) :-)                Yes       defcon
                                                                  RSA - while this is
                                                                  usually a vendor-
                                                                  fest, I get to see a
                                                                  ton of people I've
                                                                  known forever, who
                                                                  live all over the
                                                                  place. It's a fun
                                                                  reunion for all us
                                                                  security geeks.

                                                                  Infosecurity UK -
                                                                  this is a great place
                                                                  for customers - it's
                                                                  the anti-RSA, IMO.
                                                                  People go here to
                                                                  really learn about
                                                                  the new
                                                                  technologies,
                                                                  instead of just trying
Document-centric                                                  to establish B-to-B
security. Not                                                     partnerships or
necessarily DRM,                                                  trying to find a job.
but a way to secure
documents no                                                      BlackHat in Las
matter where they're                                              Vegas - tons of cool
stored (the cloud,                                                stuff going on at this
your laptop, your                                                 show, this is where
phone, etc) or                                                    the really
distributed and no                                                knowledgeable and
matter what form       Practice what you                          serious white hats,
factor you're          preach. Even when                          grey hats and black
interfacing with       you're not on the                          hats come together
them.                  clock.            NO. NEVER.        Yes    to share what they




                                                                  defcon
                                                           Yes    blackhat

                                                                  blackhat/defcon/bsi
                                                                  des for the content
                                                                  and the networking
                                                                  local conferences or
                                                                  meetups mostly for
                                                                  the networking with
                                        No.                Yes    people on your area


                                                           Yes

                                        It depends on which
                                        companies are
                                        involved in the
Mobile security.       Don't do evil.   process.            Yes
                                                                        Currently I have not
                                                                        been to too many
                                                                        conferences so I
                                                                        feel that my word
                                                                        here is not the gold
                                                                        standard, however I
                                                                        would suggest
                                                                        Every BSides Event
                                                                        you can manage to
                                                                        go to in your area,
                       Yes, when meeting                                as well as
                       Robin Wood, don't                                DerbyCon. I would
                       stand there like a                               personally skip out
                       drooling idiot in a   Negative                   on DefCon unless
                       starstruck manner.    Ghostrider, the port       you are just there to
Drones.                (Sorry about that)    scan is full.        Yes   party.



                                                                        DerbyCon,
                                                                        Shmoo,SANS. This
                                                                        provides an
                                                                        excellent way to
                                                                        network and
                                                                        become a known
Mobile                 Don't be shy.         No!                 Yes    entity.

The mobile industry.                                                    NIST, RSA,
We see security                                                         BlackHat.
issues everyday                                                         To meet and greet
with botnets,                                                           with the
malware and                                                             professionals in the
security problems.                           No. Only practice in       industry - exchange
Awareness is the                             controlled                 ideas and raise
key, but lousy                               environments in            awareness. And for
programming isn't a                          case #%&!*                 laughs too, of
good excuse.                                 happens.             Yes   course.



                                                                        Any conferences
                                                                        that have technical
                                                                        talks and especially
                                                                        CTFs or challenges.
                                                                        Sitting down with
                                                                        like-minded people
                                                                        to take on technical
                                                                        challenges is a huge
                                                                        boost to motivation
                                                                        and skills.
                    Spend a lot of time
                    at a stale job where                                Shmoocon and
                    I wasn't progressing                                Defcon have
Mobile security     or learning anything                                exceptional
(forensics/malware/ new. I should have                                  challenges and
vulnerabilities).   left sooner.         No.                     Yes    CTFs
                                                                                                Bsides - Cheap and
                                                                                                great networking
                      It's really easy to                           Yes                         potential
                      become very
                      emotionally involved
                      in doing what is right
                      at all costs, in the
                      infosec world.
                      Remember that
                      Security is not the
                      most important thing
                      in the world (it really
                      isn't) and learn to be
                      flexible with your      Sorry kids, you
                      choices career-wise. missed that window.
                                              In the age of
                      I spent a lot of time ubiquitous, cheap
                      early on, fighting the computing and
                      wrong battles, and advanced VM
                      getting fired over      technology, you
                      phyrric victories...    have no excuse any
I'm biased here, but                          more. We did it out
the world of incident At the same time,       of necessity, but
response and          know where your         that was 20 years                                 Small stuff is usually
monitoring            line in the sand is.... ago.                                              better. I personally
technologies and      bend like the reed in                                                     love SOURCE.
processes is due to the wind to anything Once again, you                                        Defcon is
explode, now that     up to that point, but have no need, or                                    mandatory early on
everyone starts to    when you get to that excuse any more.                                     in your career: the
accept that           line in the sand for Anything you could                                   sooner you get an
unmonitored           your personal           possibly want to test                             exposure to large
controls don't do a ethics, don't break your skills against                                     numbers of smart,
damn to defend        down for anyone.        now, you can just as                              noncorporate
anyone from           There's no shame in easily build in your                                  people, the better.
anything.             being fired for         own bedroom now. Yes




                                                                                                European
                                                                      Depends on the            conferences tend to
                                                                      conference and your       have a better
                      Lot's of small things,   Not if you want to     areas of interest.        spread of pure tech
                      but nothing              remain "at large".     The industry moves        vs social and
                      reproducible. I think    At least in the UK,    faster than the           political implications
                      I've been incredibly     the CMA will come      conference circuit        IMO. I'm not a big
                      lucky with how           into affect, even if   but if you're smart       fan of soft skills /
Nothing that I want   things have worked       your own personal      you'll see stuff that's   tool talks. Give me
to share.             out for me.              ethics don't.          useful                    the dirty research.
                                        Companies with a
                                        web presence
                                        should take more
                                        responsibility for
                                        their own security. A
                                        car driver has a
                                        responsibility to
                                        ensure their vehicle
                                        is roadworthy and
                                        an MOT proves that
                                        at the time of test,
                                        sites which collect
                                        user data and
                                        especially cc data
                                        should also have a
                                        mandatory pentest
                                        and cert to prove
                                        'webworthiness.'

                                        I do not agree with
                                        practicing on sites
                                        you do not own, but
Mobile                                  there is so much
security/apps. Also                     info available about
web apps will                           a site's webserver,
become interlinked                      db etc, it can
with security and a Not continuing      become a trivial
lot of developers   programming when I task to actually
and web designers was in primary        access a site after
will have to learn  school! Recognize doing some
about security to   your talents and    homework, also for          Any available! Also
keep in the job     keep working at     kids learning about         user groups (linux),
sector they are in. improving.          the web, it may be Yes      OWASP etc
                    Yes, I spent a year
                    doing intrusion on
                    web servers, there No, it is prohibited
                    is a lot of         by Colombian
Malware analysis on experience there,   legislation, you have
mobile devices.     but is not legal.   to be certified.      Yes
                      I didn't start
                      applying for jobs
                      early enough and      Only for completely
                      not enough            passive activities -
                      networking with       still with great           BlackHat
                      people already in     caution and a firm         DefCon
Mobile                the field.            grasp of the law.    Yes   Bsides


InfoSec and                                                            BSidesLondon (it's
anything internet                                                      free!)
connected is a                                                         #dc4420 (free apart
constantly attacked                                                    from cost of beer)
and moving target.                                                     InfoSec (free apart
                                                                       from registration
IPV6 will creat a lot Paying for a CISSP                               and spammy after
of headaches for      bootcamp out of my                               calls / emails)
lots of people        own pocket.        no, not ever.          Yes

                                                                       All IRL contact with
                                                                       people in the
                                                                       industry is
                                                                       beneficial.

                                                                       That being said:

                                                                       80% education 20%
                      The more letters                                 networking Usenix
                      after your name the   No.                        ATC
                      better, even if you                              50% education
                      don't think the       Especially when you        50%networking:
                      courses/classes       can often get that         BSides, Shmoo, C3
                      taught you a single   permission by              60% entertainment
                      thing.                agreeing to                20% networking
                                            parameters, and to         20% FUD:
                  HR is a stumbling         share your results         defcon/blackhat
                  block best avoided        with their IT
Embedded devices. from the get go.          department.         Yes
                       I waited for it to
App pentest is going   come to me instead        Noooooooo.
to continue to grow,   of going out to get it.
as well as "cloud      I didn't know what I      Stage your own lab.
assessment". I see     wanted to do and          People get pissy
Risk Management        thought I'd figure it     and will lock you up.       Bsides- cost and
as being te largest    out "later." a lot of     The legal system            social networking
area for corporate     wasted time and           doesn't know shot           ops. Derbycon, cost
buy in. Tools          crappy jobs from          about computers.            and content.
automation and         that. Talk to people      What you call               Cansecwest,
programming will       doing what you think      harmless could get          content. Local ISSA
eventually             you want to do.           you sentenced to jail       chapter
deprecate              Shadow them. Be           by a jury of                meetings/conferenc
pentesters. :(         sure.                     Luddites. Easily.     Yes   es, networking.




                                                 Some countries
                                                 allow some don't. I
Mobile devices,                                  could be helpful if         Defcon - The "one"
social networks,                                 vulnerabilities could       BruCON - I'm from
IPv6, "machines"                                 be reported without         Belgium
connectivity                                     being scare of              BSides* - Free and
(SCADA, cars, etc)     See #1.                   prosecution.          Yes   good quality




                      Trust and faith,                                       Again everything inc
                      people will do you                                     bsides defcon
                      over just to look                                      Blackhat USA and
                      good and make                                          eu rsa first and
                      money.                                                 super secret get
                      Watch out for              No never without            together you have to
                      yourself and make          explicit written            get on the exclusive
                      sure you come first        permission from an          lists and attend all
I am biased toward don't sacrifice your          authority that can          the after parties a lot
intrusion analysis I well win for others it      give that permission        of work is done out
see big things there. will only hurt you.        and authorization.   Yes    of hours.
                                                                       InfoSec Europe
At the moment there                           No that's what           (gives you a good
is a lot of internet                          VMware is for, there     idea of the available
chatter about                                 are some things that     vendor products.
DDOS, website                                 might be in a gray       Local OWASP
defacement etc, I                             area such as port        meetings (even if
think areas such as                           scans, but don't risk    you don't write
pentesting will                               it. Practice it in a     software)
continue to be                                safe controlled          Local BSides (it's a
important. I also                             environment, use         good way to hear
think there will be an                        wireshark or an IDS      ideas and meet like
increase in malware      Losing focus and     to get a good in-        minded people)
and attacks              not pushing myself   depth view of what       DefCon (who
designed to steal        to learn and         is happening when        wouldn't want to go
information.             develop.             you try something. Yes   to Vegas)
                                       Well, yes if you
                                       don't get caught. I
                                       start to learn
Go on IRC, meet                        reverse engineering                       All technical ones :)
guys who do the                        by cracking stuff as                      because as I said,
same things than                       90% of reversers I                        the most important
you or things you                      know (the other part                      is to encounter
are interested in.                     wanted to develop a                       people who are
DO NOT try to know                     rootkit).                                 interested in IT
everything, focus on                   But don't pass all                        security. (no
one specialty.                         your time on it and yes but not for the   ISO/certified crap
(English is not my                     don't be proud of it conferences, only    stuff, or at least for
specialty :p)        hmmm, no, sorry   :)                   for the people.      me)

                                                                                 Local BSides to find
                                                                                 locals to build
                                                                                 networking ability.
                                                                                 DEFCON to network
Mobile device and                      No, too much risk of                      with others from
centralized account                    your actions being                        wider regions.
management                             misconstrued as a                         DerbyCon because
attacks                                crime.               Yes                  it rocks.
                   Don't let it get
                   personal, the
                   industry is full or
                   pariah's that can't
                   couldn't handle
                   some trolling and
                   are now shunned by
                   the industry. Also,
                   know your skillset
                   and don't punch too
                   far above your
                   grade. In an industry
                   where your skills
                   largely determines
                   your merit you can
                   quickly go under by                                ANy conference that
                   not meeting                                        focuses on your
                   expectations. It's ok                              preferred
                   to say I don't know                                specialization area
                   how to do that, but As a general rule;             is likely to result in
                   I'll find out or can  No, it's not worth the       increased knowlege,
Mobile anything,   you teach me how risk.                             network and job
web anything       to do that.                                  Yes   opportunities.
                                      It's OK if all you are
                                      doing is inspecting
                                      elements that are            DerbyCon, DefCon,
                                      freely viewable by           B-sides,
                                      anyone on the                ShmooCon, and
                                      internet (Inspecting         other low cost
                                      http responses, view         conferences provide
                                      source, certificate          significant value.
              Staying in a job that   details, zone                Avoid BlackHat and
              is comfortable. If      transfers, etc) then         RSA like the plague.
              you are not learning    that is OK, but the          Waste of training
              every day and           minute you take this         dollars. Good
              challenging yourself,   information and do           content but 4
              you are only hurting    something with               "hacker cons" vs 1
              yourself. Go for the    without permission it        RSA is a no-brainer
              hard stuff, don't be    then you have                from a value
Mobile apps   scared.                 crossed the line.      Yes   perspective.


                                   Personally, I say
                                   yes.. BUT!! I only
                                   'practice' on sites
                                   without permission if
                                   I use that site, don't
                                   don't agree with
                                   testing on site I
                                   have no reason to               All of them
                                   be on.. for example,            depending on your
              not networking       testing my local                budget and
              sooner, not          council site is ok, as          location.. the
              attending free       they hold my                    security conference
              events like DC4420, information.. but                is just half of the
              Bsides (ok they      testing on Wiltshire            experience.. just
              didn't exist back in council is a no.. and           meeting people who
              the day).            if you do find a hole           are like minded can
                                   then report it with             also be very
                                   correct disclosure. Yes         beneficial
                     Be more supportive
                     of the business. We
                     are not necessarily
                     there to say "no".
                     We are there to
                     explain the risk and
                     recommend options.
                     If the business
                     makes an informed
                     decision we've done
                     our jobs. Learning
                     to get over power
                     struggles is
                     important. Know
                     when to stand
                     strong but also
                     when to
                     acknowledge that
                     the business will
                     need to
                     acknowledge and
Risk management      accept risks.        No.                Yes




                                                             Yes
                                                                   DEFCON is a
                                                                   favorite.
                                                                   Conferences useful
                                                                   because it gives info
                                                                   about cutting edge
                                                                   topics and
                                         No. Not worth the         demonstrates to
                     Not spending        risk. If you get          potential employers
                     enough time on      caught you could          that you are
Cloud, mobile, and   project             damage your               committed to
hacking hospitals.   management.         career.             Yes   infosec.
                       On a couple of
                       occasions I have
                       allowed myself and
                       my department to
                       be seen as
                       impediments rather
                       than
                       helpers/protectors.                                  Any technical
                       Don't let yourself be                                conference where
                       put into the position                                new and interesting
I think cloud security of traffic cop, or the                               information is being
is the next major      department of "No".                                  presented. The big
segment. Users are If something can't                                       names cost a lot,
pushing more and be done the way the            No, never without           but are usually
more information       user wants, try to       explicit written            worth it, but the
out of their control, come up with              permission from             smaller conferences
securing and           alternatives that get    someone who has             like Bsides, can
managing that data the same result as           the authority to give       offer a huge amount
is only going to get securely and as            you such                    of valuable
more important.        easily as possible.      permission.           Yes   information.
                                                                Shmoocon
                                                                DerbyCon
                                                                Defcon

                                                                It is less about the
                                                                talks, and more
                                                                about meeting
                                                                people. These are
                                                                the people who are
                                                                shaping security as
                                                                we know it, it is best
                                                                to get in good with
                                                                these folks.
                                                                Everyone has
                                                                something to teach,
                  It is ok to be     It is ok to be             as well as
                  curious. It is a   curious. It is a           something to learn.
                  felony to commit   felony to commit           Try to do both at
Mobile            crimes.            crimes.              Yes   these cons.
                                     I would say no
                                     because if you get
                                     caught doing
                                     something its game
Anything with                        over for your entire       Defcon,Source,Shm
Mobile Security   no                 career.              Yes   oo
                                                                RSA is good to get
                                                                a business
                                                                landscape.
                                                                Shmoocon and
                                                                DefCon to get the
                                                         Yes    hacker mentality.
                                              I think it would be
                                              OK to do so if it
                                              were easy not to            SOURCE, because
                                              damage your target,         it focuses on
                                              but even a                  combining business
Mobile security. The                          vulnerability scan          and security folks.
"cloud" is popular                            can do serious              DefCon, because
and will continue to                          damage. Even                it's a long standing
be, but it's not really                       temporarily                 con, cheap, and if
a big change.                                 overloading your            you're going to meet
Mobile applications                           target with traffic         people in infosec,
are becoming                                  can cause real              it'll likely be at
hugely popular                                financial damage.   Yes     DefCon.

                                                                          Defcon -Huge,
                                                                          famous

                                                                          Derbycon - Smaller
                                                                          awesome

                                                                          Thotcon -Small
                                                                          cheap (if somewhat
                                                                          local)

                                                                          Probably many
                                                                          more. I have limited
                                                                          experience
                                                                          attending all of
                                                                          them.
                          Binge drinking in   That is a really
                          college.            really bad idea.            Phreaknic,
                                              Even if your young          skydogcon,
                          Getting discouraged enough to be in             notacon, outerzone,
                          and not pursuing my highschool.                 etc (worth it if your
                          passion.                                        somewhat local and
                                              Personal                    you like the
#[buzzword]#                                  experience!          Yes    community)




                                                No, enough of legal
                                                sites out there           Very technology
                          Also learn to report, where you have            heavy ones like
Phones.                   not just hack.        permission.         Yes   CCC.
                                               Yes/no. I dont see
The use of darkness                            scanning as bad;
technologies to                                however with the
mimic the open                                 free software that is
cloud technologies                             out there you can
we see now that are                            build your lab and           DerbyCon-
vulnerable to SOPA                             test against your            small,cheap, and
type regulations.                              own domain/sites             great to meet the
Tor/i2p etc will                               etc. It's better to be       other serious
continue to mature                             safe in this realm           professionals
and will grow into   Start early. I wanted     than serve time in           (nonmanagement
the 2nd Internet out until my 20s to get       jail because you             types).
of need.             into security.            wanted to learn.       Yes



Mobile (ARM)
application hacking.    Don't limit yourself                                BlackHat, because
For real this time.     to something you're    Not if you go past           even though it is too
X86 isn't going to be   good at. Keep          the front door.              big and diluted now,
running on personal     working on the         Finding a                    it has always had
systems much            things you are not     vulnerability doesn't        the best speakers
longer at this rate.    yet good at.           require exploiting it. Yes   and trainers.




                     Hm. If I could go
                     back and do my life
Meh. I see the same over, I'd keep going       NO. That's a lawsuit
things recycled over in Maths. It's the        asking to happen             If you can only
and over again,      one area where I          and it is NOT                make one, make it a
honestly.            feel deficient.           ethical.             Yes     hacker con.
                                                                         Shmoocon
                                                                         Brucon

                        be completely open                               Small cons so you
                        about where you are                              have chance to talk
mobile                  working.            No                     Yes   to the speakers.


                                               Ha ha ha...no.      Yes




The same as it has
always been -
people and
businesses want
things now and
security is of little
concern until the cat
is out of the bag so
to speak. Figuring                             NO!!!!!! Though I
out how to balance      Waited to long :-)     guess I should
and mitigate those      Security is a blast.   temper that with
risks is always going   It's always changing   what you mean by
to be a "next area"     and never the same.    "practice".         Yes   Derbycon, Bsides
                                                                            SANS conferences,
                                                                            but it has been a
                                                                            while since I have
                                                                            attended any other
                                                                            types. I always
                                                                            enjoyed the InfoSec
                                                                            conferences, but I
                                                                            am not sure if they
                                                                            are still around.
                                                                            DEFCON and
Maybe I am old                                                              BlackHat are two
school, but I still see                                                     that also stand out.
a lot of room for         Not getting my                                    What ever gets me
improvement with in       degree when I first                               thinking about new
the log anlysis,          got out of high                                   ideas is definately
SIEM arena.               school.               No.                   Yes   worth it to me.
                                                Absolutely not.
                                                There are enough
                                                practice labs out
                                                there that can help
                                                you to practice all
                                                the necessary skills,
                                                or you can build up
                                                your own.             Yes



                                                                            DefCon and
                                                No                   Yes    DerbyCon
                                                                         I would not
                                                                         recommend a
                                                                         particular
                                                                         conference, as all of
                                                                         them have valuable
                                                                         content, but one
                                                                         thing I would
                                                                         recommend is to
                                                                         attend both big cons
                                                                         (ie Defcon) and
                                                                         smaller, more social
                                                                         cons (PhreakNIC,
                                                                         ToorCon,
                                            No, but when you             DerbyCon, etc.)
                                            get skilled enough,          The networking
                                            you will be able to          opportunities and
                                            see potential issues         the spontaneous
                       It is important to   without doing                discussions and
                       accept the fact that anything malicious,          debates that break
                       mistakes will be     and be able to               out at the smaller
                       made and to try to communicate with               cons are invaluable.
                       learn from them,     the company/site             I wouldn't have the
                       and not blame other about the issue and           opportunities and
It's all about the web people or deny       gain proper testing          contacts I have
apps now.              them.                permission.                  today without them.
                                                                   Yes




Obviously mobile
and
consumerisation in
general... The         Yep! Don't get
boundary model of      trapped into
security that most     financial
organizations still    dependency... In
operate is no longer   other words, live
effective. Security    within your means     Emphatically NO!
needs to be data-      and you will always   It's not even ok to
centric, secure your   be in a position to   do it within your own       Any SANS ones as
assets then work       walk away from bad    company without             they are focused on
out...                 situations.           permission.           Yes   education...
                                                                             Any SANS
                                                                             conferences for the
                                                                             networking and
                                                                             practical
                                                                             information.
                                                                             Blackhat and
                                                  never               Yes    Defcon.



Hard to speculate.
The industry is
doing lots of things                                                         BSides, local
right, but some big     Do not move into                                     conferences in your
players still rely on   management if you         It is a risk. My           area. Networking is
FUD to sell their       feel it is not for you.   advice: do not take        interesting, seeing
products. Would like    Stay close to things      that risk as a             what others are
to see more nimble      that you are              company, but you           doing. Black Hat
players with            interested in, so it      as an individual can       and Defcon, to big
targeted toolsets       does not seem to          choose to accept           and hyped, not as
make a difference.      slog.                     that risk.           Yes   useful.
Privacy. Most
privacy departments      Don't trust anyone
are bloated and          in Silly Valley (that
realy make zero          place next to San       Nope - Once you
impact on reducing       Francisco). Too         have something
risks. I think that      many people have        worth keeping - like         ShmooCon,
you will see that this   agendas and spend       family and kids, you         DefCon, maybe
will start to roll up    most of their time      realize that it is not       BlackHat. Most
into Information         screwing others         worth losing. Better         vendor conferences
Security/Risk            over. In Silly Valley   off setting up your          are infomercials and
Management               poor behavior is        own systems for fun          truly waste time and
Departments.             almost rewarded.        and learning.          Yes   money.
                                                                       SANS - because
                                                                       they're designed
                                                                       around hands-on
                                                                       activity
                                                                       BlackHat/DefCon/S
                                                                       chmoo - because
                                                                       they have very nifty
                                                                       presentations
                                                                       BSides-ANY -
                                                                       because they are
                                                                       where the action is
                   Yes - don't spend all                               now
                   your time trying to     no. no. no. no. no.         RSA - mostly for
non-network risk   be uber-technical.      no. Practice at             corporate-types
and threat         Learn to HIRE           home on your own            DerbyCon - mostly
assessment/busines people to do that       network (or your            just because of the
s continuity.      part.                   wife's laptop).       Yes   organizers.




                    Trusting the ones
                    you work for, they                                 Sans,shmoocon,and
Mobile security and could change and                                   any local con.
cyberwar.           leave you out.         No.                   Yes




                                           No                    Yes   SANS, RSA
                                                                         BlackHat - to see
                                                                         the breadth of the
                                                                         industry.
                                                                         Defcon - to see
                                                                         where the true
                                                                         hacker's mentality is
                                            No. There are many           displayed.
                                            tools readily                Derbycon - to
                                            available to                 interact with the
                                            download to test             superstars of the
                                            against. Having to           whitehat community
                                            customize them to            face to face.
same security                               set them up as               Shmoocon - to see
landscape, but more                         vulnerable testing           the public sector of
need for trained      When in doubt,        platforms assists in         the security industry
security              don't. Ask a security the learning process         represented in
professionals         veteran.              as well.               Yes   number.
                                            NO, do not do                - BruCON, near me,
                                            anything on other            interesting and not
                                            people's systems,            too expensive
                                            sites, locations             - DefCON (never
                                            without their explicit       been), looks very
                                            permission in                interesting
Cyber                                       writing. You can             - BSides (never
espionage/warfare,                          practise at home,            been, intention),
not on national                             your site, your              looks interesting
level, however on                           laptop and create a          - OWASP (never
corporate level.      Always be honest, virtual environment.             been) interesting to
Data protection,      even if it can cost   All tools are                exchange idea's
internal and external your job.             available today.       Yes   - local activities
                                                                       SANS Conferences -
                                                                       Excellent
                                                                       presentations,
                                                                       outstanding
                                                                       courses, very useful
                                                                       networking.

                                                                       Black Hat - Bleeding
                                                                       edge information.

                                                                       Local or nearby
                                          No! Career limiting.         Privacy and Security
                                                                       conferences - Learn
                                          Use the Safe to              your legislative
BYOD.                                     Hack sites.                  issues.
Consumer based                            Build your own
devices being used                        network and break            CanSecWest -
within the                                that. (Great on your         Superb and near
enterprise.        Not sure.              resume)              Yes     me.




                                                                       Blackhat - Good
                                          It depends if you are        workshops
... Sigh ...                              doing it                     Defcon - Social
                                          "anonymously"                Networking is
Cloud .*           Not really.                                         paramount. (Always
                                          heh.                         learn from your
and                But I would                                         peers)
                   recommend that         Honestly, I think that       Shmoo Con -
More fundamental people understand        it is fairly easy to         (Ground breaking
design flaw        that emotional         setup VM's and               announcements are
discoveries in     detachment is a        VPS's to lab most            always nice to see
embedded firmware very important virtue   everything you want          in person)
based technologies in our field.          to test.               Yes
Don't know if it                                                          Black Hat, RSA,
qualifies, but IPv6                                                       probably Bsides too
will be a blast.                                                          but I get the feeling
Some major                                                                you need to know
integrity concerns                                                        people and be a
there.                                                                    certain kind of
                        Once again with the                               infosec person to be
Also, general web       coding. I should                                  able to fully
integrity issues will   probably have                                     appreciate that. The
probably be big, as     educated myself                                   major ones (like
soon as the public      more too. It's                                    Black Hat and RSA)
starts to realize       possible to break in                              are good for
what being tracked      only on being quick    Basically no,              learning new stuff,
across the web, on      to learn and having    although I do              networking, but also
your tv, or on your     an interest, but       appreciate reading         because you get a
phone actually          education is always    or hearing about           motivational rush
means.                  a winner.              those who do.        Yes   from it.


                                                                          their are many
                                                                          conferences around
                                                                          the worlds, but
                                                                          attending some of
                                                                          the conferences
                                                                          where hackers meet
                                                                          to present or to
                                                                          talk,a local hackers
                                                                          meet will also be
                                                                          helpful as you will
                                                                          know the latest tips
                                                                          and tricks,
                                                                          vocabulary, will get
                                                                          some hackers friend
                                               Yes, Its ohk,              who may guide you
                                               because it is the          in right path and can
                                               only way you can           help you get placed
                                               get the sufficient         somewhere, or may
                                               hands on practice to       be you will know the
                                               clear the interview        right organisation to
                                               and recall what you        start with, and the
                                               know, but always be        organisation with
mobile security                                on the safer side ;) Yes   the current opening
                        Recognise that
                        security is a balance
                        between usability
                        and security. Sell      Possibly providing
                        security as an          you tell the person
                        enabler and not an      afterwards about
IT awareness of         obstacle to             vulnerabilities/exploi
security                business.               ts                     Yes   Infosec

                                                No. You actually
                                                wind up doing more
                        In the beginning I      damage than you
                        was a script-kiddie     ever expect. I'm
                        with no real goals or   talking financially
                        ambitions. I notice     here. If you break a
                        that's a pretty big     server only just to
                        trend amongst most      poke around or "just
                        newcomers. Try to       cuz you can" and
                        steer clear of that     the server admin
                        route as much as        finds out, the
                        possible. Try to help   company can pay a
                        the cause, not be a     very large amount of         DefCon, Blackhat.
More client-side        factor in destroying    money fixing what            I've learned many
security.               it.                     you broke.           Yes     new things there.
                                                                             44Con - Top quality
                                                                             talks & great
                                                                             atmosphere (even if
                                                                             I felt like crap the
Mobile agent                                                                 whole time last
technology on                                                                year)
mobile platforms -      Staying in formal                                    BlackHat - Good
migrate to server       education isn't as                                   selection of talks
whilst offline. Mind    valuable as you may                                  and far enough out
you I've been           think once you get                                   from 44Con to avoid
hanging out for that    past the HR entry                                    doubling up on all
for 15 years now.....   point.              No, never.                Yes    talks



                                                                             Defcon is nice, but a
                                                No. I'd be lying to          zoo. Derbycon
                                                say that I've never          looks very nice.
                                                done it though.              Anything that gets
                                                Sometimes Bob just           you to meet like
                                                goes and does what           minded people is
                                                he wants to.        Yes      good.

                                                                             Blackhat
                                                                             Source
Mobil vdevices                                  No                    Yes    Rootedcon
                                                  Depends on what
                                                  you are practicing.
                                                  If it's recon, and
                                                  even some level of
                                                  mapping, I think it's
                                                  ok, because it's very
                                                  unlikely anyone can
                                                  cause damages
                                                  doing that.
                                                  However, there is a              I think it really
                                                  line that can be                 depends on what
                                                  crossed where you                you do and where
                                                  suspect that if what             you're located. As a
                                                  you're doing goes                pen tester located in
                                                  wrong, it could have             the SouthEastern
                                                  a negative impact                USA, I like the
                           I want to be in a      on the site, either by           following:
This is always             technical position,    exposing                         DerbyCon,
tough. More than           and allowed my         information or                   ShmooCon,
likely it will be in the   career to go down a    bringing the site                AppSecDC, and
area of Mobile             path that became       down. However,                   DefCon. For me,
Security. I think          less and less          with that said, there            these conferences
smartphones and            technical, until a     are so many other                provide the ability to
tablets are the new        couple of years ago    options for                      network with other
laptops from 10            when I started         practicing that are              pen testers and info
years ago. The             making a change in     available for free or            sec service
number of threats,         my career and what     inexpensive, there's             providers, listen to
vulnerabilities, and       I was studying in my   really no reason to              talks on some really
security software          free time. I           practice on                      good research, get
will only increase         should've done that    production systems               new ideas, and
and expand in this         earlier as now I'm     that do not belong to            improve some skills
space (IMHO).              playing "catch up".    you.                   Yes       along the way.




                                                                        Yes        ALL

Network Security
Monitoring                                        No.                   Not sure

                                                                                   Checkout
                                                                                   allconferences.com,
                                                                                   and choose which
                                                                                   ones interest you.
                                                                                   Many of them give
                                                                                   you free versions of
                                                                                   software and utilities
                                                                                   if you stay through
                                                                                   the end of the
                                                                                   conference. Also,
                           choosing a "money-                                      the networking you
                           hungry" partner that NO - NO - NO it is                 do is instrumental in
XCEL Mobility              had minimal security NEVER OK to do                     building
(stock ID XCLL)            experience           that                    Yes        relationships.
An increase in
mobile malware and                                                         As I reside in New
more organisations                                                         Zealand, I can only
(particulary          As I have not yet       NO - this is                 recommend the few
government and        started working in      crimminal behaviour          that I have attended.
large state owned     the InfoSec industry,   NOT hacking.                 Kiwicon - annual
enterprises) moving   I can't comment on                                   hackers conference
to cloud              things I have done      Always gain                  in Wellington, New
infrastructures.      wrong but I am in no    premission upfront           Zealand
The above are not     doubt that there will   before accessing             OWASP NZ Day -
new areas but more    be one or two things    any site that is not         conference held
an increase in        that I could do         controlled / owned           yearly in Auckland,
current trends.       differently.            by yourself.           Yes   New Zealand




                                                                           absolutely as many
                                                                           as you can scam
                                                                           your way into, if only
                                                                           to network and meet
                                                                           people. don't attend
                                                                           talks (unless you're
                                                                           really bored)

                                                                           all the talks wind up
                                                                           online within days.
                                                                           watch them then.
                                                                           go to ShmooCon,
physical and/or                                                            THOTCON,
blended pen testing.                                                       DerbyCon, and
there's already far                           meh. grey area. i'd          BlackHat/DEFCON.
too many scan                                 say it's not OK but          (scam your way into
shops out there.     no.                      it's a good idea.   Yes      Black Hat)
                                                                 CarolinaCon,
                                                                 Shmoocon

Mobile and web app                                               It's great to see
sec is still going to                                            what other people
be at the top.                                                   are working on,
Behind that as much                                              what the community
as I hate the term, Wasting time being                           values, and network
cloud security.       afraid of failure. No.               Yes   with other folks.




                                                                 defcon
                                                                 blackhat
                                                                 toorcon
                                                                 bsides


                                                                 they all have
                                                                 different types of
                                                                 communities but
                                                                 great for networking
mobile security                             no             Yes

big data, linked
data, mobile, social,   take more initiative,
compliance with         set firm dates, get
various protocols       more than one cert -                     defcon, shmoocon,
hippa/sarbannes,        2 or 3 is good - and                     derbycon.
mashups                 get out in the field. no comment   No    linuxcons, notacon
                                                                            BSides - it's local
                                                                            and free and offers
                                                                            great exposure to
                                                                            relevant topics and
Integrated security                                                         local community
appliances or                                                               members.
MSSPs; Appliances                                                           BlackHat/DefCon -
that handle more                                                            only if you have the
than one function                                                           funding; again,
like Firewall/IPS all                                                       offers exposure to a
in one; or MSSPs                               No; It's never ok to         wide range of
which can monitor                              practice on                  community
multiple systems at                            sites/companies              members and has
once.                                          without permission     Yes   some decent talks




                                                                            I like BSides the
                                                                            most. The cost is
                                                                            good, they tend to
                                                                            be more local, and
                                                                            give you a chance
                                                                            to network with
Relearning the old                                                          more people doing
ways of attacking.                                                          the type of work you
We've seen too                                                              want to do.
many people focus       spent too much time
on one part, and        not being focused                                   I think over all the
things like lock        and wasting it doing                                smaller cons, where
picking and social      "other things". no                                  you can meet
engineering (both       matter what try to                                  people and build
older than dirt)        keep you hand in       NO. go build a lab.          upon existing
making a come           the pie and get your   Set the stuff up.            relationships is the
back as the way to      name out there in      learn both sides of          better part of the
attack.                 some way.              Red and Blue.          Yes   con
                                                                 Derbycon, Bsides*,
                                                                 Shmoocon. The
                                                                 smaller cons get
                                                                 you the great
                                                                 speakers but time
                                                                 and access to talk
                                                                 to the speakers and
                                                                 others at the con.
                                                                 Defcon is great for
                                                                 the parties but a
                                      Negative, Slippery         waste of time
Mobile                                freaking slope.      Yes   otherwise.

                                                                 Shmoocon
                                                                 Defcon
                                                                 Derbycon
                                                                 ^^ No particular
                                                                 order.
                                                                 Any you can really.
                                                                 Why, well one,
                                                                 they're pretty cool.
                                                                 You get to meet
                                                                 your peers, and
                                                                 most of them are
                                                                 pretty cool to hang
                                                                 out with. The talks
                                                                 are awesome, and
Cell phones, mobile not learning to                              you might even
networks.           program....       Nooooooo.            Yes   learn a thing or two.
Secure Software
Development.

Psychological
studies show that if
you tell someone a
problem without
clear steps on
solving it, they tend
to ignore your
warnings. Security
folk need to work
closely with                                      The ones where it's
software developers                               less about vendors
and IT teams to                                   and more about
provide clear                                     learning without
solutions instead of                              having to pay a
vague geekspeak.                Never       Yes   tonne.




Client side / cloud     Nope.   Hell. No.   No
                                                                    Black Hat(s) and
                                                                    especially USA,
                                                                    Defcon,
                                                                    CanSecWest,
                                                                    Source and smaller
                                                                    local cons. They are
                                                                    useful mostly from
                                                                    the perspective of
                                                                    meeting others in
                                                                    the community.
                                       Only if they have            Earlier I said
                                       policies that allow          certifications are not
                                       public security              useful. Why did I not
                                       research (and you            say they are useful
                                       stay with the terms          for getting through
                                       of those policies).          HR? Because every
                                       Companies with               job I have ever
                                       Bug Bounties are a           gotten was because
                                       good start:                  I knew someone or
                                                                    someone who knew
                                   http://www.facebook              someone. Breaking
                                   .com/whitehat/bount              into security is most
                                   y/                               effectively
               Drink less and hack http://googleonlines             performed, in my
               more at your first  ecurity.blogspot.co              opinion, be meeting
               con. Heck, drink    m/2010/11/rewardin               and getting to know
               less and hack more g-web-application-                people active in the
               at every con.       security.html        Yes         security community.

                                                                    Vendor conferences
                                                                    for the networking
                                                                    opportunities
                                                                    OWASP, SyScan,
                                                                    Ruxcon, other highly
               Going into a                                         technical
               management role                                      conferences to
               too soon, it's difficult                             really see what
               to do well if you get                                everyone else is
               isolated from the        Yes, just don't get         doing
P2P payments   coalface stuff.          caught.               Yes
                         I think it depends on
I think the obvious      what you are
answers here are         practicing. If you are
"The Cloud" and          working on
"Mobile" but beyond      information
that I feel that there   gathering
is going to be more      techniques, that
and more                 could possibly be
convergence with         ok. There is a lot of
technology and our       grey area in this
physical world. I        subject however.
don't mean just          Some people might
SCADA/smart grid         say dont do                 Personally, I enjoy
networks, I'm talking    anything you                the smaller
about implants for       wouldn't want done          conventions. I really
humans and huge          to you. That leaves         enjoy the social
ecological projects      a lot open. I would         networking
to control our           say, leave your             components.
environment.             "practice" to               Meeting people in
Imagine a hacker         learning about the          all kinds of different
group causing            site/companies as           roles talking about
Ozone depletion.         best you can without        ideas and solutions
yikes!                   using your browser Yes      is really inspiring.

the distinctions of
work and personal
equipment / data will
continue to difuse in
to one another,
causing more
opertunity for the
"bad guys". the
outsourceing of IT
will make it dificult
for companies to
know how there                                       B-sides, not over
data is secured and                                  populated like
could make change                                    defcon.
more problamatic.                                    Realy any
you could start to                                   confrence, more for
see attacks                                          the one on one
propagate across                                     interaction with
cloud providors the                                  people who have
same way you see it      only if you want to         great ideas than the
go accross hosting       go to jail and be           talks, but they do
providers today.         bubba's girlfrend.    Yes   set the tone...
                                                                          BSidesSF - free,
                                                                          educational, with
                                                                          good exposure to
                                                                          what RSA is about
                                                                          w/o paying for a
                                                                          ticket
                                                                          SOURCE Boston -
                                                                          Great exposure to
                                                                          technical and
                                       This question is                   business together
                                       misleading. It's not               BruCon - technical,
                                       ok, it's probably not              lots of variety, great
                                       legal, and it's not                audience for
                                       necessary. There                   networking
                                       are test sites like                DefCon - good
                                       DVWA & WebGoat                     variety of topics,
                                       you can practice on,               good networking,
                                       or you can build                   good for beginners
mobile                                 your own test lab.    Yes          and young people



                                                            Yes



                                                                          Defcon, brucon?
                                                                          It think it's a nicr
                                       I think u should                   place to meet new
                                       'practice' on sites                people, learn new
                                       without permission                 things.
                                       although im also                   very interesting to
                                       doing it.                          see what what the
                                       I dont harm the site               speakers have to
                                       but I report the                   see and what new
                                       vulnerabilities when               topic will be talked
/               /                      im done.             Yes           about.
                Not enough
                networking. Jobs
                are offered directly   Not really. Gray
Xss framework   not just online on     zone deluxe. Make
development     recruitment pages      a lab! VMware 4tw    i dont know
                                                                           Any conference due
                                                                           to the networking
                                                                           aspect. Getting to
                                                                           know someone from
                                                                           a conference can go
                                                                           along way to getting
                        Nothing that sticks                                into the security
Not really sure         out at the moment.    Absolutely not.        Yes   field.




                                                                           I like the SANS
Malware analysis is                           Hell no. You only            conferences, they
starting to pick up                           have to screw up             tend to get a slightly
strength, I see a                             once to find your            more professional
push to bringing that                         prospective career           attendees. Also like
level of skill and                            path changing to a           Defcon/Blackhat,
interest in house.                            federal institution.   Yes   always a lot of fun.
                                       local conferences,
                                       just to network and
                                       meet people in the
                                       industry. probably
                                       the most important
                                       thing to have is
                                       good contacts who
                                       can recommend you
                                       and so you stand
                                       out from the jackass
                                       who doesnt know
                                       shit, but has lots of
                                       certifications
                                       becuase they're
                                       good at passing the
if you have a choice                   crappy exams etc. if
to join a security                     you dont know
consulting company,                    anyone, then you
do it and dont take                    have to try to get
the job at the big 4.                  known by other
you will forever be                    people through
deemed to be an                        publishing research,
accountant or         no               blogs, speaking at
someone in tax.       very bad   Yes   conferences, etc.
                                                                                My personal favorite
                                                                                is shmoocon. It's
                                                                                size is small, talks
                                                                                aren't the greatest
                                                                                but the crowd is
                                                                                almost always
                                                                                welcoming kind and
                                                                                very nice to
                                                                                newcomers. It will
                                                                                help you get a job
                                                                                get a friend or get a
                                                                                beer, and everything
                                                                                in between.
                         Not everyone who
                         shits on you is your                                   Defcon is good to
                         enemy.                                                 see old friends
                         Not everyone who         Depends. If you are           again and not much
                         gets you out of shit     playing with a web            more.
                         is your friend.          app it's a lot more           Summercon is great
                         People can be real       okay than breaking            to have a great time
Mobile and               weird accept it and      into a subnetwork of          and get to know
fringe/cloud crypto      move on.                 computers.           Yes      new people.


                                                                                Defcon
                                                                                Shmoocon
                                                                                Black Hat*
                                                                                Very useful,
                                                                                especially if
                                                                                presenting, to
                                                                                connect with
                                                                                prospective
                                                                                employers, learn
                                                                                something, and
Figure that out, and                                                            meet people.
you'll have it made!                                                            However, travel and
No, I don't know.        Before asking                                          conference fees can
But there will always    [stupid] questions or                                  also be a big money
be a need for            releasing any new                                      burner (BH) if you
incident response,       exploits/research,                                     don't already have a
malware analysis,        be sure to do a                                        security job to send
offensive and            search to try            No. Absolutely not.           you. Go with a plan
defensive tool           answering your own       Though I know                 or at least a
development, and         question or figure       many do it and get            determination to
penetration testing. I   out if what you are      away with it, i have          meet new people
suppose there will       doing has already        seen promising,               and not be jerk,
be a bigger role for     been done before.        intelligent kids with         don't just show up
exploit                  People will give you     a sure future in              and wander around.
development, or          a lot more respect if    security hack                 Also, I haven't been
maybe it will just be    you show you've          something and get             to many more, so
more publicly            done at least a little   burned, possibly              these are just what I
known. :-)               bit of homework.         permanently.            Yes   have seen.
                     Wait too long to get
                     a degree. any
                     degree. useful both
                     from the needing to
The use of           be able to
icloud/live accounts communicate, to get
for OS               past HR steps in       Only                  It depends on the    If SANS
authentication is an larger orgs, and for   reconnaissance        conference, and      Conferences count,
interesting          the confidence         activities and        what you expect to   for the training
development.         factor.                protocol inspection   get out of it.




                     Invest in your career
BYOD, mobile         by setting aside      No. Setup your own                          CONS...attended
secuirty             small amounts.        lab                Yes                      Ruxcon.
                                                                                       All of them ;-)
                                                                                       Always nice to meet
                                                                                       people, change
                                                                                       ideas if the talks
                                                                                       themselves would
                                                                                       be less
                                            NO                    Yes                  relevant/interesting

                                            Yes. If you do not
                                            get caught and do it
                                            for good intentions
                     Starting late.         in the long run.     No



                                                                  Yes
                      I spend too many
                      years doing only
Incident response     network security,
teams/person, in      should have          NO, NO and NO,              Well all of them, go
even small            examined other       never do that. set up       to what you can get
companies             areas earlier.       a lab instead         Yes   at and network.



                                                                       $AN$ - Very good
                                                                       content, but
                                                                       ex$pen$ive
                      Need some            No. The price of            DISA IA Conference
                      rudimentary          mistakes is VERY            Blackhat
IPv6                  business courses.    high.                Yes    CES




                      Not really, if you                               Attend any security
Social engineering    learn from it then its No. Practice              conferences you
and Forensics         ok.                    somewhere else.    Yes    can




                                                                       Any
                                                                       Shmoocon
                                                                       Industry specific
                                                                       (education infosec,
                                                                       healthcare infosec,
Mobile                                     No                   Yes    etc.)

Forensics. Breaches
are only going to                                                      SANS, they are
increase. Secure                                                       some of the best
programming: app                                                       people and best
issues are the                                                         training out there.
current area of                                                        The people you
attack focus and                                                       meet are almost
that's not going to                                                    worth the price of
change.                                    NEVER                Yes    admission.
                     Trying to wear too
                     many hats (although
                     helpful to have a
                     broad range of
                     skills). I also deal
                     with BC/DR,
                     Exchange, Server
                     administration,
                     Virtualization,      NO! Never, ever,
                     Network admin,       ever... it's against                        Source, Shmoocon,
Not sure             helpdesk, etc.       the law.                Yes                 B-Sides, Blackhat




                                           Never. You are
Critical                                   risking the
Infrastructure and                         reputation of your                         SANS and ASIS
mobile device                              company, or                                conferences are
security.                                  yourself (if an IC).   Yes                 great for networking.



                                                                  Yes



                                           No.                    Only to meet ppl.


                                                                  Yes


                                           No, it's never                             Hackito Ergo Sum
                                           acceptable.            Yes                 Defcon
                                                                           ShmooCon - small
                                                                           conference; able to
                                                                           talk with people 1-
Blue team. There       I was advised to go                                 on-1
are so many            back and get a                                      DefCOn - for exactly
companies out there    Masters degree in                                   the opposite reason.
with the IP exposed.   CompSci. I don't                                    Lots of different
Foreign nations are    believe that is                                     people, ideas,
using the Net more     necessary for the                                   cultures
to gain access to      current job market                                  BSides - the way a
networks and           unless you                                          small con used to
proprietary            eventually want to                                  be
documents.             get into a C-level                                  Local - Anything
Companies are          role within a large                                 local whether a
going to need          organization. I think   No. Virtualization is       hacker space,
(currently need)       most companies          too cheap now to            ISACA or ISSA
experienced            (once past HR) look     not have some sort          meeting to meet
individuals actively   at what you can do      of lab environment.         others and learn
working to stop        and your willingness    Permission is               about things going
them.                  to learn.               always needed.        Yes   on in your area.


                                               No, you never know
                                               what could possibly
                                               go wrong. Always
                                               test on your own
                       Don't forget about      equipment or get
                       the security of your    written permission          DEEPSec, BSides,
Smart home.            own equipment.          first.              Yes     Berlinsides

                                                                           Blackhat USA,
                                                                           ShmooCon, Defcon,
                                                                           Bsides and any
                                                                           local cons. I think
                                                                           being part of the
                       I did not value a                                   community,
                       degree early on and                                 networking with
                       it held me back from                                others and learning
                       a lot of jobs I could                               as a group can be
                       have enjoyed. Even                                  VERY important. If
                       with lots of years                                  you can go to only
                       under my belt it was                                one BH USA is the
Continuous             always an issue. It                                 one IMO. Spend
assessment /           makes for a more                                    time with the
whitelisting           robust person.        Errrr no.              Yes    people!
                                                                   Famous & big
                                                                   conferences (such
                                                                   as DefCon,
                                                                   Blackhat, etc) are
                                                                   definitely worth
                                                                   attending, to hear
                                                                   from the first hand
                                                                   experts analyzing
                                                                   fresh kung-fu
                                                                   techniques. And of
                                                                   course the chance
                                                                   to have a talk with
                                                                   them and hear their
                                                                   pro way of thinking
                                                                   and acting.
                                                                   Although I prefer
                                                                   smaller-scale
                                                                   conferences like
                                                                   OWASP meetings,
                                                                   where you can see
                 Didn't detailed and                               and hear young and
                 organized my                                      passionate guys
                 findings good                                     sharing their
                 enough. When I        Definitely *NOT*.           experiences and
                 rolled back to see    There is plenty of          ideas. I really enjoy
                 how I have done       login-to-root boxes         these
Mobile devices   some things, it was   and challenges to           meetups/conference
security         a mess.               test your skills.     Yes   s.




                                                             No



                                                             Yes




                                       NO                    Yes
                       You may not
                       'intentionally' do
                       damage, but
                       systems sometimes
                       crash unexpectedly,
                       or some functions
                       may cause
                       excessive system           Defcon - similar
                       load, etc... Also,         content to BH, but
                       unless you take            much cheaper. Also
                       precautions the            recordings are
                       internet isn't very        posted online.
                       anonymous, which           Whatever regional
                       can have serious           conference is
                       consequences in an         closest to you - it's
                       industry where trust       good to get to know
                       and reputation are         some people
                       *very* important.    Yes   nearby.
                                                  B-Sides because of
                                                  the people

                                                  Def-Con because of
                                                  the technology

                                                  Anything else
                                                  related to interests
                                                  or focus (Google
      Expected too much                           I/O, SANS SCADA
ICS   from certs        Nope               Yes    Security, etc.)



                                           Yes

                       In my opinion yes,
                       as long as you keep
                       the "practicing"           Defcon for the shear
                       confidential and           variety of the talks
                       don't cause                and skill of people
                       damage.             Yes    who attend.
                                                                              Any of them that
                                            I would strongly                  you could attend.
                                            suggest that you                  Blackhat, defcon,
mobile                no                    create your own lab. Yes          thotcon, source

                                            Absolutely not.
                                            There are plenty of
                                            other opportunities
                                            from 3rd parties and
                                            easy enough to                    Any and all
Mobile                                      build your own 'lab'. Yes




not a prognosticator don't "over" certify   no                   no opinion
                                                                            SANS (for the
                                                                            training and
                                                                            contacts)
                       Remember the                                         BlackHat/DefCon
Bring Your Own         business owns the                                    (for the knowledge,
Device is my           decisions on what                                    the contacts, and
upcoming               it's own best                                        the Toxic BBQ)
nightmare.             practice is!          NO.                    Yes     RSA (for contacts)

                                                That's how I
Mobile security is                              learned! But these
going to be big, but   I got out of the         days, there are
the underlying         security industry        plenty of better
infrastructure there   and went to just         ways to learn. When
is application         systems                  I was learning, there
security. Someone      administration and was no such thing
said that we started   then tried to get        as virtual machines
in the hardware,       back into it. The        and cheap
went through           people I know who hardware. I may
networking, and        stayed with security "accidentally" throw
now we're at           are still in it and well a semi-colon or --
application            known, and I find it into a website every
development. I think   difficult to get back now and then                   Blackhat, RSA,
that's accurate.       in.                      though ;).            Yes   SANS




                                                                            All with High profile
                                             Grey Zone. Better              talks and speakers.
                       Use MS Word for       rebuild their system           No vendor road
Ipv6 :-p               Reports               in your lab.         Yes       shows.
                                                                          kinda   none

                                                                                  Defcon, Blackhat,
                                                                          Yes     Ekoparty


                                                                                  Different sets of
                                                                                  conferences for
                                                                                  different reasons.

                                                                                  B-Sides, 44Con,
                                                                                  defcon, brucon etc.
                                                 No, absolutely not.              Good technical
                                                                                  contact and chance
                                                 It's a pragmatic                 to meet people.
                                                 reason though. If
                                                 you do something to              Infosec - find out
Mobile security will                             the wrong company                what's selling in the
get bigger as the                                on the wrong day,                market.
platform does, same                              you could end up in
with cloud topics.                               legal trouble and                General IT
                                                 rightly or wrongly               conferences (eg dev
I'd like to say that                             that will put off some           conferences,
AppSec and helping                               prospective                      TechEd etc) - Gain
development teams                                employers, so I'd                more knowledge
write secure code                                say it's just not                about the underlying
will be huge, if only                            worth it.                        technologies. The
as there's such a                                                                 best security people
low percentage of        I personally enjoy      Look at the                      can speak to IT
companies doing it       the technical side of   difficulties that                people in their
well, but I think that   things, and my          researchers have                 language and have
may only happen if       mistake was almost      even when                        a good
there are changes in     moving out of the       everything's                     understanding of the
laws and regulations     area and into less      completely above                 technologies they
which mandate it.        technical roles.        board!                   Yes     use.
                                                   I would say no.                 I've only recently
                                                                                   been attending
                                                   When I was learning             conferences
                         I busted my ass in        this stuff, I had it in         (DefCon & SecTor)
                         college getting           my head the every               and would
                         straight A's. The         sysadmin was                    recommend both.
                         rational was that my      monitoring their logs           Any conference you
                         grades would set          24/7 and would call             can attend would be
                         me apart from the         the cops after the              to your benefit. In
                         crowd. I was really       first nmap scan.                terms of taking your
                         fighting against the      That was good                   skills to the next
                         "it's not what you        because it kept me              level, there is
                         know, it's WHO you        out of trouble.                 nothing better than
                         know" mantra.                                             spending time with
                                                   As I gained real                like-minded people.
                         That was a huge           work experience, I
                         mistake. Instead of       found it was really             Unfortunately, my
                         fighting it, I should     easy to break into              current employer is
                         have embraced it          client sites without            not willing to foot the
                         and gotten to know        setting off any                 bill for a trip out to
                         as many infosec           alarms - but that is            DefCon. Last year I
                         professionals as I        what they were                  skipped it but
Social engineering       could while I was in      paying me to do.                because I know the
is popular (again)       college. There are                                        value of attending
and is scary as hell.    tons of groups that       We've all heard of              conferences, I'm
Wireless, Web App        meet regularly (and       cases where well-               going out to Las
Security and Mobile      for free) in cities and   meaning hackers                 Vegas on my
device security are      towns all over the        have been sued or               vacation and paying
the things that, while   world. Become a           worse for pointing              out of pocket for the
not really new, are      regular in one of         out a security hole             trip this year. Most
areas I see as being     these groups and it       and trying to work              of my co-workers
with us for a long       will open a lot of        with the company to             think I'm nuts (that's
time.                    doors.                    get it fixed. Don't put Yes     government for
                         If you already know
Smart Phone Bot          you want a career in
Nets, Cloud              infosec, choose a
Security, another        proper study path
decade of IPv6-          (maybe there are
hype without actual      "infosec" courses of
effect                   studies ...               Definitively no!          No




                                                   "No."                     Yes
                                          Absolutely not.

                                          Most companies are
                                          highly virtualised, it
                                          takes very little
                    Nothing springs       effort to move what           I've only attended
For the infosec     immediately to        are effectively live          SANS organised
world? Mobile       mind, try not to      systems into lab.             conferences thus
security.           become too elitist.   Don't be lazy!         Yes    far!




                                                                        DEFCON,
                    I didn't pay attention                              ShmooCon, BSides
                    to an opportunity                                   Las Vegas.
                    when it first came                                  They are great
                    up because I didn't                                 places to learn
                    feel I was worthy. I                                about some of the
                    came back and                                       cool things people
                    went for it 4 years                                 are doing and get to
                    later, but I was too                                meet many of the
Mobile is getting   naive to realize it                                 people you read
huge, Smart Grid    the first time. Pay                                 about and speak to
and SCADA are       attention to           No. Have I done it.          via IRC and Twitter.
getting necessary   opportunities and      Maybe. But, it's not         It's a great time to
exposure finally.   relationships!         a good idea.           Yes   network.




                    Thinking I was an
                    Expert!!!             No!                     Yes
                                             define practice?
                                             if it means only                             blackhat - advanced
                                             scanning and                                 technical talks and
                                             viewing i see no                             basic-to-advanced
                      never start using      problem                                      training
                      hacking tool without                                                derbycon - geeky
                      knowing how they     but if someone is                              talks with awsome 2
                      works                really nasty and try                           days training
                                           to bruteforce or to                            sessoins
cloud security and learn how tools is      exploit or try to sql-   if you have nothing   defcon - alot of
mobile security       written and then you inject the site,         to do or idle,        experts will be
which contains:       are good to go with ofcourse there's a        definitely it worth   there! and they
hacking, forensics .. using it.            big issue!               attending             have a great CTF




                                                                    Yes


                                                                    Yes                   Source conference




                                                                                          BSides
                                                                                          Shmoo
                                                                                          44Con
                                             Nope.                  Yes                   etc..

                                                                                          Chaos Congress in
                                                                                          Berlin is quite a
                                                                                          good exchange,
security challenges                                                                       BlackHat (Europe)
around mobile &                                                                           might be, never
embedded devices n/a                         no.                    Yes                   been there :)
                      I thought
                      concentrating on
                      policies and
                      procedures without
                      specialising in a       Absolutely not. If            Anything covering
                      particular              you compromise on             IT in general and
Virtualisation and    technology would be     ethics, you are in            security cons in
compliance issues.    sufficient. It isn't.   the wrong place.   Yes        particular




                                                                            I highly recommend
                                                                            Defcon. I haven't
                                                                            been to others, but
                      as long as you are                                    the concept is the
                      learning and                                          same. Conferences
                      growing, you are                                      are where you can
                      headed in a positive                                  meet people and
mobile                direction            heh, no                  Yes     network in real life




                                              Obviously no, but I
                                              don't think the line is
                                              absolutely black and          Def con, schoocon,
                                              white. If a site looks        derbycon etc etc,
                                              old and crappy and            but as I'm in the UK
                                              says secure on it             these are all
Smaller companies                             and it then baulks            watching videos
realising they need                           on a search with a '          online mostly thanks
security people.                              is that "practice"?     Yes   to Iron geek.




                                                                            Defcon, blackhat,
                                              No..                  Yes     Brucon, CCC,...
                   Not taking sufficient                           shmoocon, defcon -
                   time to dig into the                            deeply technical and
                   more technical          Not without             relevant. I have not
                   aspects of              permission from         attended others that
                   cpu/memory              those                   I would recommend
mobile and cloud   architecture            site/companies    Yes   (RSA, BlackHat)




                                                             Yes
                       Get involved with                                     DerbyCon and
                       the community.                                        Shmoocon. I've
                       Start a blog, interact                                been to neither but
                       on twitter,                                           plan on attending
                       participate on                                        both this year. The
                       ethicalhacker.net,                                    smaller, more
                       etc. I've delayed this                                intimate cons seem
                       significantly                                         to be the most
                       because I never felt                                  beneficial. DefCon
                       like I knew as much                                   is ok if you know
                       as everyone else,                                     people, but it's a
                       but that's always                                     zoo. A lot of people
                       going to be the                                       seem to be more
                       case. As long as                                      interested in
                       you approach                                          cosplaying in matrix
                       conversations with a     If you want free             outfits than learning
                       polite curiosity (i.e.   room and board and           and networking.
                       the opposite of          desire a roommate            There's undoubtedly
                       "teach me how to         that wants to                a ton of talent there,
I think web apps are hack!"), the               "cuddle."                    but it can be difficult
already popular, but community will                                          to find at times.
I think that           welcome you.             Get written                  World Toor looks
popularity is only                              permission from              insanely awesome,
going to increase      Since I put a decent     someone who has              but it's pricy. For
over time. Wireless amount of detail into       the authority to             more professional
and VOIP will likely this response, can I       grant it, or practice        conferences, RSA
become bigger as       guilt you into           in a lab. The only           and USENIX seem
well. I'll say         following                exception is when a          to be a good choice.
virtualization instead @infosiege? Having       company openly
of "cloud security"    single-digit followers   states that it wants         I think the best part
(focus on              are crushing my ego      X service tested (be         of conferences is to
technologies, not      ;) (Just kidding, it'd   very careful to stay         network with
buzzwords).            be nice to stay in       in scope though).     Yes    industry




                                                Not really... If you
                                                do tho, make sure
                                                its not a previous
                                                employer and you
                                                don't get caught!      Yes
                        don't limit yourself to
                        what you think that
                        you're 'good at' -
                        always try new
                        things.

                        also, don't be afraid
                        to ask questions, of                               defcon, local
                        even the 'celebrities'                             security
                        in the security                                    conferences. useful
                        industry. everyone                                 to meet people,
                        in this business is                                learn how much you
                        pretty approachable absolutely NOT.                don't know, and to
mobile security,        once you get past      they could be a             immerse yourself in
definitely.             the egos..             potential client...   Yes   the culture...
                                                                           Really any
                                                                           conferences are
                                                                           good. It is more
                                                                           about meeting
                                                                           people then the
                                                                           conference itself.
                                                                           For security specific
                                                                           ones help to get to
                        Stay focused on one                                meet people that
mobile (android,                          Typically no
                        topic at a time. I like                            can give you
IOS)                    to tackle too muchbecause it would                 opportunities.
web I think is always                     ruin your chance of
                        at once. I still do
a big issue just        that a lot and    ever getting in                  security:
because of the          sometimes have to security if you get in           Bsides
number of hacks                           trouble but places
                        step back and set a                                shmoocon
over last few years     focus.            like facebook,                   derbycon
malware is always                         google, and                      Local Security cons
on rise               Don't think just    microsoft pay out for            manager type
                      because you heard people finding bugs                conferences like
Coming from an        someone's name      in their stuff. So               RSA if you can get
exploit developer I they are worth a      hack away                        to them help for jobs
would say don't go damn. I have found
down that road for a out from experience Also sometimes you                Other:
career. Not many      sometimes the local might think you are              Linux user groups
jobs in that market guys blow away the hitting a small site                Programming
and the doors are     skills of the known and it is hosted by a            conferences
closing daily on      names.              major company. If
access methods. I                         you don't know how               Also give talks,
would suggest         The local guys are to be sneaky yet,                 good ones, and you
learning it though as too busy getting    which I assume you               may get noticed.
a skillset for        better to go out    don't if you are                 Don't think because
knowledge             parties at cons     starting, then don't             your not a big name
purposes.             constantly.         do it.                 Yes       you can't give a
                                                                      Brucon, Black Hat,
Mobile                No.                 No.                   Yes   Hack.lu




Bring your own        If you want to
device - the          specialise, do so
management of         early on, but be                                Infosec europe and
personal devices in   prepared to be      Legally no. Stay            any freebies from
the corporate arena   pigeonholed         within the law        Yes   local groups.




                                                                      Hxx (Ohm2013),
                                                                      CCC, Defcon.
                                                                      Back in the day,
ipv6 makes things                                                     DNScon
interesting.                              There are plenty of         (http://www.dnscon.
smartmeters, when                         places in the world         org/) used to be
they are rolled out                       outside the                 good, but has gone
really badly en                           jurisdiction of the         now. UK based
mass.                                     UK/EU/US to                 conferences seem
badly done NFC                            practice on. They           to be based around
                      Working for the man are most certainly          making money and
                      for too long.       "practising" on us.   Yes   selling training.
                                                                           If you are going to
                                                                           the sales floor at
                                                                           RSA or if you are
                                                                           going to a bsides
                                                                           and hearing whats
                                                                           going on. I would
                                                                           have never known
                                          The internet is the              about the PTES
                                          wild west, if you                without going to
                                          don't want to be                 BSides I am sure.
                                          tested on don't put it
                                          out there.             depends

                                          I'm not a huge fan of
                                          this, I usually ask
                                          before I play. But
                     Never give a new     then again there are             BSides, 44Con,
                     guy a licensed copy sites like Microsoft,             Defcon and any
                     of Nessus            Facebook and                     regular local meets.
                     Pro/Nexpose. Make Google that                         Big cons life
                     them figure it out   explicitly allow you             Blackhat are not
Building             manually and see     to test so go hog                worth the money in
Management and       what happens, if     wild on those. If it's           my honest opinion,
Maintenance          you get good results something you can                the talks are
Systems are going    you have a good      install on your                  watered down
to become            tester. They can     machine however                  versions of what you
something big over   then have Nessus that is a different                  see at Defcon a few
the next year.       as a reward.         story. Go crazy.       Yes       days later.
                                                                           BSides - Good
                                                                           quality talks and
                                                                           free event thats only
                                                                           1 day so easier to
                                                                           justify time off work.
                                                                           Good to mingle
                                                                           Owasp - Some good
                                                                           talks, free and its
                        Would have started                                 after work so no
                        in Security Earlier                                contention getting
                        instead of waiting 11 No, even with                time off for the
                        years into my         permissions it still         conference. Good
Mobile                  career.               technical a crime.     Yes   to mingle


Home
goods...ZIGBEE
and other such
devices are going to
come out, and come
under some real fire
when they
encounter                                                                  SANS, DEFCON,
issues/hacks.                                                              DERBYCON,
                                                                           CANSECWEST, B-
Hardware...either                                                          Sides
manufacturers get
the idea that people                                                       Sans being one of
don't want neutered                                                        the few "vendor"
shit, or they                               Ideally this is a              conferences is no
continue to get                             hardline NO, but               mistake. They teach
jailbroken. Microsoft                       then I say it                  good skills, it's then
finally got the hint                        depends on what is             up to the individuals
with the Kinect, but                        being "practiced".             to prove they can
what about their                            An xss popup on                put them to good
next project and                            your own system is             use. The less formal
who is next to figure                       pretty hard for me to          Cons are very
it out?                                     feel that's malicious          worthwhile because
                       Start early when you and inappropriate in           they get back to the
Also wireless has a can still afford to     most cases. SQLi               roots of hacking
great life ahead of it take some            on the other hand, is          being a curiosity
for failure...unless   drawbacks with your not acceptible in any           and informal group
the standards          career. Such as      way, get a WebGoat             activity of sharing
bodies get their act lower pay, and         instance for that              information and
together.              intern positions.    stuff.                Yes      learning.
                                           Depends entirely on
                                           that site/companies
                                           approach. Google,
                                           for example,
                                           encourage and
                                           reward you for                             BSides London -
                                           hacking their site. If                     great crowd, good
                                           the site don't                             for meeting like-
                                           explicitly allow it,                       minded people.
                                           you're breaking the                        BruCON - great
                                           law. Whether you                           talks, international
                                           think it's ok or not is                    pull, good beer.
                                           irrelevant, get                            hashdays - enjoyed
                                           caught and you're                          the talks and
                                           going to prison.                           hanging out with
                                                                                      some of the "big
                                           OK, that's my official                     names" in the
                                           answer. The line is                        industry who you
                                           not so clear.....I                         can learn so much
                                           think you'd be hard                        from.
                                           pushed to find
                                           anyone in this                             Ultimately though,
                                           industry who hasn't                        being good at
                                           at some point                              infosec is about
                                           hacked a website                           knowledge.
                                           they weren't                               Learning and
                                           authorised to,                             sharing and
                                           cracked somebody                           conferences are
                                           else's wireless                            great for that. A lot
                                           network or generally                       of the time it's the
                                           hacked without                             corridor track which
                                           consent but,                               is more valuable
Mobile.                                    crucially, without     Yes                 than the talks.

                    Assuming everyone
                    is going to be happy
                    and receptive when     Is it OK to break into
                    you detail how you     someones house
                    broke into their       and look around if                         Defcon for its size.
                    systems and how        you don't take         Select ones and not Lots of people to
Mobile              they should fix it.    anything?              for the talks       meet

                     Impressed by
                     "known" white hats
                     and dissappointed
                     when I finally met
                     them or worked
                     with. Several of
                     them are arrogant
                     and not that
Quality pen testing. impressive.           No, never.                No
                          Yes and no. It's
                          complicated. I think
                          it is morally ok,
                          provided nothing is
                          modified, lost, etc,
                          but I also think there
                          should be
                          consequences of
                          getting caught. It's
                          good that it's illegal,
                          it keeps the noise
                          down. OTOH, it's
                          very useful for
                          practicing. If
                          someone doesn't
                          pull the shades and
                          I can see in, that's
                          their fault, not mine.
                          But once I start
                          lurking in their yard
                          for a better view,
                          that's crossed a line.
                          You also shouldn't
                          blab about it or
     Consulting fucking publicize any
     rocks it. Get        problems you find,        shmoocon,
     someone to pay for but you should tell         derbycon, hope,
     your training and    the owner,                summercon, defcon,
     then after a few     anonymously. And          hack3rcon, and any
     years go it alone or don't get caught.         other con with
ai   with a team.         Challenge accepted. Yes   hackers and booze.
                                                                        SANS -- they also
                                                                        offer volunteer posts
                                                                        where you can audit
                                                                        their training for
                                                                        free, then followup
                                                                        with on-line courses
                                                                        to complete your
                                                                        certification

                                                                        WORLDCOMP --
                                                                        latest academic
                                                                        research and
                                                                        connection. I
                                                                        presented there last
Mobile and wireless,                                                    year
especially as more
consumer gadgets                                                        IEEE -- especially in
emerge.                                                                 wireless
Virtualization                                                          communications
vulnerabilities, and                                                    and other
breaches of cloud                                                       technologies
providers. Too
many providers are                                                      SecureExpo -- latest
getting into the                                                        products, vendors,
cloud arena too                             It depends. If              great networking
quickly without                             you're just running a       opportunity
adequate               Specialized in Cisco vulnerability scan or
precautions -- look    in networking.       poking around that          RSA / Guardian if
at the big Amazon      Juniper dominates doesn't substantially          you're interested in
crash, and the use     the telecom          impact performance,         CEH or PENTest
of Amazon by black     marketplace and is sure. Causing a
hats and nation        beginning to make denial of service?             ISACA if you're
states in attacks.     inroads into         No, that's unethical. Yes   interested in audit

                                                                        Defcon, Hack In
                                                                        The Box, Smoocon,
                                                                        Derbycon.
                                                                        Reason; Don't
                                                                        know, but heard a
Mobile security.       no.                  No.                  Yes    lot about them.




                                      From a legal
                                      standpoint I say no.
                                      Lawyers are
                                      expensive and jail
I am really                           sucks. Also, once                 I have only been
interested in                         your name is tainted              able to go to
quantum computing                     it can be hard to                 Shmoocon and I
and 3D printers.  Getting burned out. regain trust.        Yes          had a decent time.
                                        Not really. Simple
                                        mapping and
                                        dedicated scan
                                        access might be
                                        okay. But full-blown
Mobile security,                        scans or even
cloud-based                             exploitation is            Everything that is
services, IPv6                          dangerous and              not vendor/product
(finally?)              no              wrong.               Yes   driven




Cloud based
computing and
associated attacks.                     Of course not.      Yes




Pen-testing for
medium and smaller
businesses as well
as cost-effective
Security consulting                                                Derby Con - still
and services for    Have a stronger                                small which gives a
medium and small commitment when                                   more personal feel
businesses.         starting out.       No.                 Yes    and touch.

In Latin America the
market of security is
                   i try to do a lot of
rising very quickly,
                   things at the same
its a good oportunity
to start study in  time, its wrong...
forensics e        focus is the word,                              Defcon, BlackHat, I
penetrations test  choice one or two                               shoot the Sherif,
now                areas and focus!      No.                Yes    H2HC, Eckoparty
                   I would advise
                   listening to anyone
                   else with an opinion
                   on what you're
                   doing. This industry
                   is full of "experts".
                   Be your own expert                              DerbyCon, BlackHat
Mobile devices and and just keep                                   Training (not the
networks           learning.             No.                Some   briefings)
Yes, working for   I wouldn't approve
cheap.             of it but ymmv.      Yes
                         Only if you don't
                         mind always looking
                         over your shoulder,
                         and are willing to go
                         quietly to jail when
                         you're caught. The
                         statutes of
                         limitations are far
                         longer than you
                         think, and more data
                         is collected than you
                         can imagine. If
                         you're still in the
                         "practicing" stage,
                         you won't be able to
                         hide your activity
                         anyhow.

                         So, no.                       Not sure on this one
                                                       - I'm leaning
                         There are plenty of           towards the smaller,
                         resources where               community-driven
                         you can practice              ones like B-Sides
                         safely on your own            (because they're
                         hardware.                     cheaper, so you can
                         Vulnerable VMs                pay your own way,
                         from OWASP and                and more personal,
                         Metasploit and                so you can make
                         others. You can               professional
                         always work on                friends), but I
                         exploit development           havent' been to any
                         locally, based on             of them yet, so can't
Mobile                   info from exploit-db Yes      really say.
                                                       Various Hacker
                         Never. Damages                Cons. Good
                         trust and introduces          research presented
Mobile Device            potential for                 in large quantities in
Security                 mistakes.            Yes      short term



                                                       Derbycon!
                                                       Everything about
                                                       this con is amazing.

                                                       I am getting older
                                                       and more cranky!
I see Linux                                            Defcon had to many
becoming as easy                                       people and I hated
to exploit as                                          waiting in line for
Windows.           No.   Never!                  Yes   food!
                                        NO
                                                               No


                                                                     Carolinacon - Great
                                                                     first conference for
                                                                     people who haven't
                                                                     been to any/many.
                                                                     Small where you
                                                                     can meet and
                                                                     interact with a lot of
                                                                     people.

                                                                     Shmoocon - A good
                                                                     solid conference
                                                                     with a great chance
                    I wish I was more                                to meet new people
                    into exploit                                     and learn a lot from
                    development,                                     topics presented.
                    reverse engineering,
                    and malware                                      Defcon & Blackhat -
                    analysis.            No                    Yes   Same as Shmoocon
                                                                     Shmoocon is my
                                                                     favourite, since it's
                                                                     big enough to draw
                                                                     top people, but
                                                                     small enough that
                                                                     everyone is
                                                                     accessible. also,
                                                                     Security B-Sdides
even though it's not                                                 events are worth so
my field of                                                          much due to their
expertise, i think                                                   informal nature.
mobile security is                                                   they have the best
the next up and                         absolutely. if the           hallway tracks of
coming field, since                     vulnerability is out         any cons i attend --
smartphones are so                      there, someone is            there is so much
ubiquitous, people                      going to find                networking that
are lax about them,                     it...better by a             goes on despite
and mobile malware                      curious researcher           feeling no pressure
is becoming so       my career before   than someone                 whatsoever to
rampant.             computers :)       malicious.             Yes   network.
                                         Hm.... depends on
                                         the vulnerability.
                                         For example,
                  Resist the             reflected XSS
                  temptation to make against a live app
                  things seem all        effects no one but
                  about "me". While yourself (outside of
                  notoriety and          SE). However,
                  reputation are very Stored XSS actually
                  important in this      leaves residual
                  field, there is a fine information on the           Shmoocon
                  line between           server which may             Black Hat
                  arrogance and          effect other user's          Defcon
                  presenting cool        experiences with the         DerbyCon
Ever changing web research with self     app. That's                  ...
technologies.     confidence.            crossing the line.   Yes     NETWORKING!!!!




                   Trust but verify. If
                   you learn                No. You will never
                   something, do it         know what those
None, I think we   yourself, or look it     sites and companies       All of them are good
need to fix whats  up yourself. See if it   will interpret as         for networking, and
broken before we   checks out before        'damage'. It's not        there are always 1
move on to the new you start telling        worth the court or        or 2 good talks that
stuff.             others about it.         jail time.          Yes   happen.
                                                                             I wont name names
                                                                             as I haven't been to
                                                                             most of the ones I
                                                                             *really* want to (with
                                                                             the exception of a B-
                                                                             Sides) but just
                                                                             wanted to say that
                                                                             they are good for
                                                                             the contacts made.
                                                                             The presentations
                                                                             are generally
                                                                             nothing you haven't
                                                                             already read about
                                                                             and it is usually the
                                                                             stuff that happens
I wont say mobile                                                            outside that is of
because I'm sure                                                             most long term
everyone has said                                                            value. My employer
that.                                                                        has certainly
I'm not sure,                                                                benefited from the
depends how far off                                                          contacts I've made
you mean by "Next        I didnt have a plan.                                there, but I don't
up and coming".          At least get a rough                                know if it's the most
ARM exploitation is      compass bearing         Not if you value your       efficient use of ever
going to go              and recognise what      career or freedom.          decreasing budgets -
gangbusters in the       sub-fields are not on   Morally speaking            particularly for
next couple of           that path, rather       the answer has to           people like me who
years, thats for sure,   than wandering the      be no too as you            have to travel half
but I hope the big       great plains of         never know when a           way around the
mobile OS makers         security picking up     site will behave            world to go to the
can prevent the          every shiny rock        unexpectedly and            good ones.
carnage. Unlikely        that catches your       break something
though.                  eye.                    unintended.           Yes   I have a bit of a
                                                      Summerc0n, the
                                                      attitudes are great
                                                      and the
                                                      presentations are
                                                      stellar.

                                                      Shmoocon, there
                                                      are some great talks
Protecting Privacy.                                   and the ability to
                                                      meet like minded
Defense, Defense,                                     folk.
Defense! (its the
new sexy).                                            I've never been to
                     I tried to learn a               but would like to go
Sadly, the FUD of    bunch of stuff at                to Derby Con and/
"the Cyber Warrior". once.                No.   Yes   or a BSides event.
                                                                                            Costa Rica is so
                                                                                            small that people
                                                                                            doesn't know about
                                                 No, it's like saying                       security
                                                 it's OK for you to                         conferences, it
                                                 practice paintball                         could help you for
                                                 with my car because                        having new
                                                 it won't do any                            weapons/knowledge
                                                 damage.                                    in that others don't.
Mobile security,                                                                            But won't help you
after that personal      Sure try to do it       It has a cost for the                      to get a job here.
(as tech implants)       yourself, the best      company to look at
security and space       way to learn is to      that "practice", and                       Either way I believe
security (as in          get hired in security   it's not OK to make                        Shmoocon,
rockets and              and do your own         people loose          I can't tell, neve   BlackHat and
satellites)              research.               money.                been to one          DefCon

                         Not specializing. I
                         have a tendency to
                         try to learn
                         something about
Information security     everything which
at a large scale.        progresses to trying
More companies are       to learn everything
collecting more data     about everything,
than ever before         which is very
and it is increasingly   difficult to do and
easy to access vast      even more difficult
amounts of PII.          to keep up with.
Forensics is also a      Branch out and
very big field and       work in teams and
will become even         become an expert in                                                Security B-Sides
more complex with        a few things. The                                                  (good info, great
personal file            most successful                                                    price)
encryption and           teams will have         Not even a little bit.                     SANS Network
VP(S/N)/Anonymize        individual strengths    But........it does                         Security (great
rs becoming close        and should be           happen and "no                             location normally,
to mainstream            comprised of            harm, no foul" is                          pricey, great info)
geekery.                 several areas.          tempting to some.      Yes
                       Nothing I would
                       admit, don't get                                                    Defcon, Shmoocon,
Mobile Devices         caught.               Of course not.        Yes                     Torcon


                                             depends on if you                             Any SANS, the
                                             like taking group                             interaction is great
                                             showers...                                    and network
Could security and                                                                         opportunities are
the security controls                        LOL                                           huge
and auditing of the thinking security is a                                                 Defcon, its fun...but
cloud...              product or vendor.    its to risky now                               can be crowded
                      A FW is not           days...while I think                           Cisco Live, you get
wait...we first must security, IPS is not   in the past it was                             a chance to find out
define the            security, and so      okay...today your                              how many of the
cloud...aahhhhh       on...                 are asking to get                              systems work and
                                            caught and then                                where the system
isnt that were rain all together is part of take groups                                    might be weak.
comes from...LOL.. security                 showers...                                     Other Cons are fun
                                                                                           and are helpful, go if
                                                                   Yes                     you can

Mobile
devices...open
scope testing                                Not at all            Yes                     Defcon, derbycon

                                                                   Yes




that changes daily.
web security is        anything is good
always evolving,       experience.
mobile, cloud,         especially if you                           if someone is willing
virtualization, etc.   regret it.            absolutely not.       to pay




                                                                                           DerbyCon
                                                                                           BlackHat
Reverse                DO NOT BREAK                                                        DefCon
Engineering            THE LAWS!             no                    Yes
The law of
unintended                                                             Anything with actual
consequences will    Considered only the                               information from
continue to apply -  security angle. The                               other ITSec
c.f. SCADA, Cloud    system still has to                               professionals, not
data storage, etc.,  be functional at the                              just vendors selling
etc.                 end of it.           No. No, and No.        Yes   wares.
                                          NO. build a test
                                          network or have a
                                          friend build it then         Blackhat because of
                     Being cocky. You     break it. It may be          networking
SQL is a massive     might know more      funny to you but             possibilities.
portion but the next than the typical     you're costing jobs          Defcon because of
big thing is lack of sysadmin but don't and reputations for            the people.
vendor support for try and make them your shits and                    Schmoocon people
ipv6.                sound stupid.        giggles.               Yes   again.




                                                                       Any of the bigger
                                                                       SANS ones, and
                                                                       CANSECWEST.
                                                                       Depending upon
                                                                       your focus, non-
                                                                       technical speciality
                                                                       ones (ie Privacy)
                                                                       can help policy and
Embedded/portable                                                      non-technical
devices.                                   No, no and no.        Yes   portions of the job.
mobile security,
including secure
app development,
secure
configuration,        Got a security
mobile log            clearance which
management,           limited my future                                SANS, Besides,
mobile forensics      options              No                    Yes   Chaos
                    Taking a position                                  I've only been to
                    just because it was                                BlackHat US,
                    in the industry.                                   Defcon, and
                    Always make sure                                   TorCon. I suggest
                    the job is the right fit                           going to any con
                    for you and the                                    just for the exposure
Cloud               employer.                No                  Yes   factor.




                    Organization, notes,
                    and keeping track pf                               Any conference can
                    those notes. Also                                  be useful as long as
                    before modifying                                   you are there to
                    anything... BACK IT                                learn and put forth
The world.          UP!                  NO                      Yes   effort to learn.

                                                                       SANS and
                                                                       EDUCAUSE
                                                                       security
                                                                       professionals, you
                                                                       pick up a lot of
                                                                       helpful information
                                                                       from fellow
                                                                       attendees that you
                                                                       just don't get in the
                                                                       online environment.
                                                                       They are also good
                                                                       to form working
                                                                       relationships with
                                                                       others. You call/rely
                                           No!!!! Don't do it.         on each other for
Right now, mobile                          Stand up your own           help on the job
device forensics.                          system.               Yes   going forward.
                                                 No, not at all. Your
                                                 reputation is
                                                 everything in
                                                 security; once
                                                 tarnished many
                                                 doors will be forever
                                                 closed. With so
                                                 many open source
                                                 technologies and
                                                 the ease of
                                                 virtualization, there
HR cert - Comptia                                is little need or
CASP                      Didn't realize the     justification to
Knowledge certs-          importance of an       commit what might
Offensive Security        incredibly solid       be considered a
Skill - mobile apps       foundation.            crime.                No




Incident response         I stayed in the
and data correlation.     system                                             I prefer small cons,
There are many            administration field                               local events
tools that generate       too long with too                                  sometimes
tons of information.      much focus on unix.    No. Use a virtual           associated with area
The challenge is          I should have          infrastructure for          colleges. The large
putting it all together   branched out into      practice. If your           cons tend to have
and reacting to real      windows                company can                 too many vendors
issues, throw out         administration         support it, build a         trying to collect
the noise.                sooner in my career.   lab.                  Yes   contact information.




                          In my younger
                          career days I was to
                          quick to remove an
                          issue instead of                                   Any that are relate
                          containing and                                     in some form or
Mobile anything.          understanding it.    No                      Yes   another



                          less party more
mobile security           study at university    no                    Yes
                                                                       Defcon shmoo.
                                                                       Local cons issa
                    Not learn to t talk                                isaca
Meh                 business                No                  Yes

                      I focused too much
                      on one area - unix
Incident response     and linux                                        I would recommend
and data mining.      administration. It                               small conferences -
The tools we use      built a good                                     Bsides or smaller
generate a lot of     foundation for        No. Practice in a          local ones done by
information, pulling penetration testing    virtual environment.       area colleges.
the relevant          and hardening those   build your own or if
information and       operating systems -   your company               In my opinion, the
correlating it with   but I struggle with   supports it, work to       larger conferences
bits from other tools windows and now       build a lab                are more for sales
is still a new but    wish I had more       environment for            people to build up
growing area.         experience there.     testing.             Yes   contact lists.




Mobile and cloud    Know the
security, privacy   infrasturcure           No                  Yes    SANS, Black Hat




Forensics and
penetration testing,
same as always, but No, keep
in interesting new   experimenting and                                 Recon, Defcon,
areas.               learning!              No, never.          Yes    Sector
The assessor
market will continue
to move from a
highly commoditized
market (especially in
the PCI space) to a
greater focus on
high quality risk
assessment,
regardless of
compliance regime.
Additionally, the
individuals who
know only how to                                                 Black Hat for
run tool X will                                                  networking and
become less and                                                  general familiarity
less valuable                         Not without a large        with the professional
moving forward.                       legal costs savings        industry. AppSecDC
There will be more                    plan. There are            or Shmoocon for
convergence of                        several cases              technical interests
security engineering                  before courts in the       and networking in
of all sorts with                     US where this kind         the
other IT engineering                  of activity is being       Federal/regulatory
efforts.                              decided.             Yes   market.



                                                                 SANS, Blachat,
                                                          Yes    Decon, BSides




                                                          Yes




                                                                 shmoocon
                                                                 Defcon

                                                                 Its good to meet the
                  Only test on your                              people behind the
                  own network as                                 latest exploits and
                  opposed to other                               also to learn from
3/4G compromising people's            No                  Yes    them.
Critical
infrastructure. It's
been on the map for
awhile but its really
beginning to pick up
steam. The state of
affairs with critical                                       Anything you can
infrastructure is sad.                                      afford. Try to get to
Most of these                                               Defcom/Blackhat
networks we go into                                         and the 100's of
are horrible, like 10-                                      other great ones in
15 years behind the As me again in 10                       the US. Not as sure
curve.                 years. Nothing yet.   NO!      Yes   abut EU.



movement away                                               ShmooCon,
from authentication                                         DefCon, BSides -
(passwords) to                                              networking,
recognition as a    failed to specialize                    information
means of providing in any one specific                      exchange in hallway
access to systems. area                      Never.   Yes   cons
                                                          I think conferences
                                                          are worth attending
                                                          because it gives you
                                                          a legitimate reason
                                                          to be unavailable
                                                          and to focus on
                                                          what is being
                                                          presented.
                                                          Watching
                                                          recordings of
                                                          presentations from
                                                          your desk does not
                                                          stop people from
                                                          interupting you. I
                                                          also think it is a
                                                          good chance to
                                                          meet like minded
                                                          people and discuss
                                                          items that are being
                                                          presented. It also
                                                          allows for people in
                                                          the same field to
I see the integration                                     talk about things
of mobile devices                                         that they might be
into the enterprise                                       struggling with and
network as the next                                       to learn from the
big thing. Trying to                                      others with out the
secure these                                              distraction of work.
platforms without        I do things wrong all            We have all been
killing the              of the time. The                 there. When you
functionality they       biggest thing is to              tell someone that
offer is going to be a   practice what you                you will help them
real challenge.          preach.               No   Yes   then you get
                            I used to really like
                            the SANS
                            conferences as
                            much for the after-
                            hours birds-of-a-
                            feather. But they've
                            lost their luster.
                            Really - it seems
                            that conferences
                            wax and wane. Its
                            good to keep an ear
OK as in moral -            out to the
maybe. OK as in             community and hit
risk - you could            conferences that
torpedo your career         have strong
doing it. Not to            community support /
mention jail / fines.       interaction. After
In this day and age,        all, SANS had
setting up your own         decent courses and
victim environment          good instruction...
is easy enough to           but it was the
give a taste for            community that was
"practice" without          the real reason to
the personal risk.    Yes   go.
                    Let PM push
                    projects through
                    without myself
                    sticking to my guns
                    on Security matters.
                    I probably should
                    have learned to
                    bullshit more, so
                    many people I have
                    seen do this and get
                    higher paid jobs,
                    hoping they can
                    pass the blame onto
Securing BYOD       someone else once
(Bring Your Own     they are proved
Device) projects.   wrong.               No.                 Only for networking .




                                                                                 Defcon, B-Sides,
                                        No, there are far too                    Shmoocon, and
                                        many ways to avoid                       anything at which
Cloud pentesting    Never go into       this, especially with                    you can get a
and forensics       management! Ha!     virtualization        Yes                chance to present
                                                No. I feel you
                                                practice in a lab. In
                        I have always felt      a controlled
                        that you can be a       environment.
                        security expert in
In my opinion           your own field. And     Even though I have
security follows the although this is true      to admit I
way of IT in general. for specialisations       sometimes work at
Since IT is moving you well need to be          companies in a
'to the cloud'          able to adapt to        different role then
(*drink*) I think       changes in the field.   pentester and things
security will follow                            seem so bad it's
that as well.           So basically you just   hard to contain
                        need to learn it all.   yourself to not just
The way services        There's no              prove, even to
and applications will shortcuts. It will take   yourself, that you
be provided to users time and effort and        could <quote>pwn
will change so the      it's not always fun.    that box</quote>.
bad guys will also      But I made the
change their tactics mistake of leaving         However, even this I
on taking advantage complete parts of IT        would consider just
on that situation.      to other people         attacking or testing
                        (coming back to my      the device /network.     Never have been
And as such             database and            Not practice. And I      able to attend a
security will follow in programming             would not consider       conference, so can't
their footsteps.        remarks).               this 'ethical' either.   really comment.
                        I took a chance on a
                        small company that
                        I was not a principal
                        in and when they
                        stopped pursuing
                        security I became
                        redundant.
                        Remember at the
                        end of the day it is
                        all about business.                                                     Defcon, the largest
                        And never let a                                                         Black Hat, has been
                        clearance lapse                                                         recommended for
Mobile devices as once you've gotten                                                            content
more and more           it, those                                                               Shmoocon, as it is
people user them        organizations will                                                      smaller and it is a
for business            train you into jobs.    Absolutely not.          Yes                    fun atmosphere
                                                                    Yes




                       I started out "seat of
                       my pants" with no
                       real security training
                       available. I
                       networked a lot with
                       others in the same
I think there is going position to get a
to be a lot more       sense if I was doing
focus on application it right but didn't
security as this       always feel
continues to be a      confident that I was
common exploit         getting everything I
point even after       needed to.
several years of this
same activity. Tied Things got easier
in with this,          when SANS started
governments and        and you could get
companies are          real hands-on
moving to real-time training. Get as
security so that you much training as           Absolutely NOT!
can get a constant you can and don't            Use your own lab
"score" on how you ever stop. You can't         gear (old systems
are at that point in always count on an         anything you can
time instead of the employer paying for         find) and make
old style audit report training so you need     extensive use of          SANS Training
that is out of date    to budget to invest      virtualization to         Conferences, RSA
when it gets           in your own training     create test               Conference, HTCIA
delivered.             if you need to.          environments.       Yes   Conference
I truly believe the
next thing for the
security industry is
more regulation,
and licensing.
Security
professionals will be
licensed at some
point to do there                                                          Sharkfest, good
jobs. The security      Get as much                                        community and
community now has       education as you                                   good software.
so many trust issues    can handle too                                     Derbycon - great
its only a matter of    much is bad, more                                  speakers, new and
time that we are        hands on and                                       improved defcon-
regulated like          practical experience   No. Unless you              ish.
doctors, lawyers,       is better but weigh    want to go to jail          Schmoocon - great
private investigators   them out and have a    and never be in the         speakers, if you can
and .. beauticians.     healthy balance.       industry credibly.  Yes     get tickets.

                                           No. Good way to
                                           close doors for
                                           future employment if            Thotcon in Chicago.
                     Resist getting        you get caught.                 Great technical
                     certified, especially There are plenty of             talks. DerbyCon in
Cloud security. Also when employers are other ways to                      Louisville, it started
application security willing to pay for    practice these days.            great and looks like
will continue to     them and their        It's just not worth the         it promises to
mature.              upkeep.               consequences.           Yes     continue to deliver.




                        Don't try to rush to
                        learn in order to
                        keep up with the
                        industry or try to
                        know everything. I
                        felt I wasted a lot of
                        time. Pick a certain
                        aspect of                                          DefCon and
                        information security                               BlackHat. Great for
                        to specialize. Plan                                viewing and hearing
                        ahead on what to                                   about the latest
                        learn - even if it is a                            exploits and attacks.
                        small task at a time.                              Also, to interact with
                        Learn other aspects Leaning towards 'no'           others for defensive
                        as long as their is a even if the                  ideas for network
Mobile computing.       foundation.             intentions are well. Yes   security.
                                               yes                  Yes


                                               for sure, it's how
                                               everyone gets                             kiwicon, it hasn't
forensics, tool dev                            started              Yes                  soldout




Secure application
development and
security systems
that combine with
eachother like
physical security
with integration to
logonsystem.
Whitelistening of       Didnt learn
applications.           programming early      No, always get their I belive so, havnt
                        enough.                concent.             been to any yet




                                                                                         Blackhat - most
Mobile, obviously.                                                                       corporate appeal,
Also hypervisor                                                                          and you will get job
kernel attacks to get   Don't waste time       This is tough, if                         opps from talks
access to the cloud     aligning to yourself   you're a paying                           directly.
infrastructure and      to tools or            consumer of                               Shmoocon - small
everything hosted       programming            something I think its                     and intimate, good
on it. One win yields   languages. use         okay to look. Don't                       group
huge payoffs.           everything.            be unusually stupid. Worth speaking at!
                                                                                OWASP meets, free
Cloud                N/A                 Not really         Yes                 and great people
                                         NO,NO,NO, to
                                         protect yourself ,
                                         you have to get
                                         permissions, some
                                         time written
                                         permissions.
                                         Because some time
                                         the damage is
                                         hidden and the
                                         impact will show   don't know, never
mobile security                          some time after.   had one




                                         Nope. Always be
Survival in a post   Never assume you paid and get
apocalyptic          are anything than a permission, thus                       Anything small and
landscape            hired geek          avoiding jail      Yes                 not vendor love ins


                     Yes, code review
Cloud security could process must be
be new challnge      planned well.       Depend,            No                  Sans and owasp
         Don't just scratch                                       DC4420, small,
         the surface and                                          intimate setting with
         expect things to                                         various talks in
         work. For example:                                       London.
         If you're going to run                                   B-sides - anywhere
         an exploit, you have                                     will do. London and
         to know:                                                 LV are my
                                                                  favourites. Wide
         1. What the exploit                                      variety of talks, not
         does                                                     very commercial.
         2. What is going to                                      RSA (in the states) -
         happen on your                                           EVERYBODY is
         target                                                   there and ready to
         3. What the end                                          talk to you. it's a
         result should be                                         little bit over-the-top
         4. What the end                                          commercially, but
         result actually is if it                                 for elevator pitches
         isn't what it should                                     on what's out there
         be.                                                      it's good.
                                                                  Infosec Europe -
         It is far easier and       no opinion really,            same reasoning as
         less frustrating to do     just realise if you get       RSA
         the work on the front      caught the rest of            Blackhat -
         end as opposed to          the world doesn't             completely over the
         bashing your head          share your                    top. great info tho,
         against a wall on          sentiments on                 just make sure you
         google looking for         'practising' in their         turn off your mobile
MOBILE   quick fixes.               environment.            Yes   =]




         Tell everyone in the
         company you're                                           BlackHat, Defcon,
         going to start putting                                   BSides.
         out malware drops.                                       Networking, training,
         No one trusts me                                         eye-opening,
IPv6     now.                   Nope.                     Yes     paradigm shifting
                     No     Sometimes




When doing testing
with social
engineering attacks,
you have no idea
how a target may
react. Brainstorm
possible reactions
from the target and
try to account for
them, and adjust
testing, or come up
with a different test
that's more
controlled.           No.   Yes



                            Yes
                                                         Yes




                                                                Generally either
                                                                Derbycon or
                                                                Obviously Defcon.
                                                                Defcon for the
                                                                obvious reason that
                                                                generally thats
                                                                where the good
                                    Simply FUCK NO!             conferences are
                                    Listen and listen           going to happen.
                                    well skiddies or            Thats wear the big-
                                    people starting out.        name security
                                    You may think its           consultants are
                                    fun or a good idea.         going to be.
                                    But yah know whats          Derbycon on the
                                    gonna happen your           other hand is
                                    gonna go to prison          somewhat smaller,
                                    for a couple years if       but just as good as
                                    you do that.          Yes   Defcon.




                                                                BlackHat and
                 'Testing' in the                               Defcon - most
mobile devices   public arena       No.                  Yes    information




                                    no it is not you need
security         no                 to ask permission     Yes   ToorCon, Defcon
                                                      Conferences seem
                                                      to be more about
                                                      the networking than
                                                      the actual talks and
                                                      presentations. So
                                                      which ones depends
                                                      entirely on who you
                        No. Always ethical            want to meet. HOPE
                        all the time.                 is one of my
                        Everything comes              faviorites though
Mobile device           back out when you             and got me an
forensics and cloud     go to get a                   internship from
security.               clearance.              Yes   networking.


                                                      defcon
                                                      hackers at large,
                                                      what the hack, har...
                                                      black hat
                                                      CCC
                        No                      Yes




                        no                      Yes

                        well, sorta', as long
moving pentesting       as I am doing it to
to the next level,      others :)
where it becomes        my point is there's
actually useful in      no way you can
making our systems      separate yourself
and practices more      from the criminal
secure.                 intent,
currently, pentesting
is taking a wrong       My final answer is
path...                 No, it is not OK.       No
I think with all the
focus placed on the
actual network with
firewalls, IDS/IPS,
and other such
devices, I think we
have only scratched
the surface of web
applications. As
more tasks are            Don't wait to get into
being "dumped' on         this field. I made a                               I would recommend
the internet through      career change and                                  attending any
cloud solutions, i        turned my hobby of                                 conference
think web                 technology into          No. With today's PII      available and all
applications are          career. IF i could go    and breach issues,        that your company
going to be               back and do it all       it would be difficult     would allow. I think
emphasized by the         over again, i wish i     to justify your           conferences in
attackers, if it hasn't   started out in this      actions without the       general are a great
taken place already.      field from day one.      proper permissions. Yes   learning tool.

                                           No, never in my
                                           opinion. You're
                                           affecting a lot of
                                           people when you
                                           take down a
                                           website, a lot of                 Derbycon - It's like
                                           people may get                    Shmoocon but
                                           woken up in the                   without the DC
                                           middle of the night,              rubbish.
                    Thought I knew it      or even in the                    Shmoocon - The
                    all. I guess it's easy middle of some very               original "small" big
                    to sometimes when private activities all                 conference.
                    everyone tells you so you could                          Defcon - Worth
                    how amazing your experiment.                             going once, but I
                    job field is. Just                                       dunno if i'd do it
                    stay humble, you       Experiment on your                twice, it's
                    never know it all,     own box. It's cheap,              overwhelmingly
                    and if you think you get a Raspberry Pi                  huge.
                    do, someone will       or some old box off               Day-Con -
                    knock on your door craigslist and build                  Awesome group of
                    tomorrow and show yourself a test                        people in Ohio, and
Big data and health you why you don't. machine, or use a                     a nice international
care.                                      lab.                 Yes          presence.
                                         No - with the laws
                                         as they currently are
                                         it's illegal, often a
                                         felony, and not
                                         worth it. Especially
                                         considering how
                                         cheap it is to set up
                                         a virtual lab these
                                         days.                 Yes


                                         Never, not unless
                                         you like wearing
Security of mobile                       Orange and want to
applications                             be Mr Bigs Bi*ch     Yes    CrestCon, Defcon
                                         Only if you cover
                                         your tracks, report
                                         any found
                                         vulnerabilities and
                                         actually don't cause
                                         "damage".            Yes




                                                                     SecTOR
Mobile mobile       Minimize your time                               CanSecWest
mobile. Cloud cloud working for                                      SchmooCon
cloud.              government.          Of course not.       Yes    DefCon
                       No, of course not.

                       Having said that           None at a junior
                       though, I did when I       level. Although they
                       first started out as       help with people
                       there were no              networking, they
                       targets to practice        tend to be focused
I expect client-side   on. Now spinning up        on specific
attacks and smart      a VM is easy, there        technology security,
phones to be the       really isn't much          which is generally
next big area of       requirement to go          over the head of
security to be         testing on actually        someone attempting
focused on             companies.           No    to get into the field.




                                            Yes
                                                  I think they are
                                                  worth attending but
                                                  you have to be very
                                                  selective on how
                                                  you use your time
                                                  there. If you spend
                                                  the whole time
                                                  waiting in lines for
                                                  45 minutes worth of
                                                  content in the back
                                                  of the room then
                                                  your time is better
making it easy for                                spent with a book at
people to be safe.     NO                   Yes   home.
                                                                         RSA - to know the
                                                                         market;
                                                                         BlackHat/DefCon -
                                               No. You should            to make the dream
                                               have explicit             come true;
                                               permission to touch       Local DefCon
                                               other's stuff, no         chapter - to stay
                                               matter what's the         tuned to what others
                                               motivation.         Yes   are up to.




                                                                         I'd say it depends
                                                                         on your level. As a
                                                                         manager with
                                                                         projects in mind,
                                                                         info sec is useful.
                                                                         bsides might not be
                                                                         useful to a manager.
                        don't start down the
i wouldnt say it was    FUD route when                                   However, as I'm the
the next up and         talking to senior                                only one doing
coming area, but an     managers. Once                                   security at my
often missed area is    you start, it's hard to                          company, I attend
people. Internal        go back and every                                bsides for the techie
people are an           relies on you                                    stuff, and info sec
excellent resource if   making the FUD                                   as I know i have
you spend time          even more FUD that                               upcoming projects
making them aware       your last FUD! (too                              that i need to talk to
and coach them.         much FUD)               no                Yes    vendors about.




                                                                         local ones with lots
                                                                         of technical focus
contract
negotiations            no                     absolutely not     Yes    SECTOR
                                                                         I'm not allowed to
                                                                         leave the country,
                                                                         the conferences
                                                                         here are scarce.
                        Don't get in trouble                             However many talks
                        while learning. Use                              are available online,
                        common sense, it's                               enough to get my
Mobile device           easy to get carried Yes. Don't get               daily dose. Keep it
security.               away.                caught, see above.   Yes    coming.
                                           No. Besides, it's
                                           easy enough to
                                           build your own
                                           environment -
                     Never, Ever, Ever     http://sourceforge.n
IR and Forensics -   fully drop out - do   et/projects/dvwa/
Lots of opertunity   some sort of base     (Damn Vuln Linux           Sector, Defcon, Any
here, and little     diploma or            seems to have              and all BSides
skilled people.      schooling.            gone)                Yes   Events.




                                                                      any security
                                                                      conference you can
                                           yes                 Yes    get access to




                                       If you can 100%
                                       guarantee no                   First major
                     Wasting time and  damage will be                 conference I will be
                     money on a degree done then yes.                 attending so can't
Unsure.              in this area.     Otherwise no.           Yes    really comment.
                       It is never okay to
                       perform any kind of
                       testing without            I like the more
                       permission.                community focused
                       Breaking the law           conferences like
                       can end your career        BSides, DerbyCon,
Increased              before it begins.          and of the larger
automation,            Famous hackers             conferences
integration and data   that have gone on to       DefCon. The price
processing - i.e.      be successful are          to info ratio is much
DevOpsSec /            the exception rather       better than larger
SecOps. Routine,       than the rule.             corporate
tedious work should    Besides, home labs         conferences, and
be automated so        are cheap and easy         they are a great
people can get on      to put together, so        opportunity to meet
with more important    it's also not              others in the
work.                  necessary.           Yes   community.




Web App / Mobile
App / Cloud security   Never.              Yes
                                                        A variety to
                                                        understand different
                                                        perspectives, eg B-
                                                        sides for techy, RSA
                                                        for Security
                                                        business, others for
       stay in the same    No, build you own            security
BYOD   role for too long   lab and do it there.   Yes   management,.......

                           no.. is not ok.
                           besides in my
                           experience when
                           you ask permission
                           mot people say yes
                                                  Yes

                                                        BSidesLondon -
                                                        Very focused and
                                                        less vendor driven
                                                        than other cons. As
                                                        a student I find it a
                                                        very approachable
                                                        environment and a
                                                        great place to learn
                                                        about Ethical
                           Not unless they              Hacking from an
                           advertise it. An             industry
                           example of this is           perspective.
                           Hackthissite.org,            Affordable too!
                           Google offers
                           bounties aswell as
                           Facebook.              Yes




                                                  No
                                                                    Black Hat,
                                                                    DEFCON,
                                                                    DerbyCon,
                                                                    ShmooCon,
                   Don't be arrogant.                               SOURCE (Any) -
                   There's nothing                                  These conference
                   wrong with sharing                               give you a healthy
                   war stories but don't   No, never. There         blend of all sides of
                   brag. There is          are plenty of            the security world
                   always someone          opportunities to         (pentesting, web,
                   better than you and     practice elsewhere       dev, business, etc).
                   you don't want to       and building your        Also, the contacts
                   become the subject      own lab will help you    made at
                   on the Errata page      better understand        conferences are
Mobile security.   of Attrition.org.       what is happening. Yes   invaluable .
 Would you mind if
 I contacted you to
   get some more
indepth answers to
    some of your
     answers?




No




No




No




No




No
Yes




No



Yes
No




No
Yes




Yes




Yes


No
Yes




No
Yes




No




Yes
Yes




Yes
Yes




Yes




No




No
Yes
Yes
Yes




No
No




Yes




No
Yes




No
No
Yes




Yes




Yes
Yes




Yes




No
Yes




Yes




Yes




Yes
Yes




No




Yes
Yes




Yes




Yes
Yes




No
No




No




No


No




Yes
Yes




Yes




Yes




Yes
No




Yes




No
Yes




No
Yes




Yes




No
Yes




Yes




Yes
Yes
No




No
Yes
Yes




Yes
Yes




Yes




Yes
Yes
Yes




Yes




No
Yes




No




Yes
Yes




Yes




Yes
No


No




Yes
Yes




No




Yes
Yes




Yes
No




Yes
Yes
Yes




Yes




Yes
Yes




Yes
No




Yes
Yes




Yes
Yes




Yes




Yes




Yes



Yes
Yes




No


Yes




No
No




Yes
No




Yes




No
No




Yes
Yes




No
Yes




No
Yes




Yes
Yes




Yes
No



No




Yes




Yes
Yes




No
Yes
Yes




Yes
Yes




Yes




No




No



No
Yes




Yes




Yes




No




Yes
Yes




Yes



No



No


No



No
Yes




No




Yes
No




Yes



No




Yes
Yes




No



No




No
Yes




No




Yes
Yes




No




Yes
No


No




Yes
Yes




No




Yes
No




No




Yes
Yes




No


No




Yes




No
Yes




No




Yes




No
No




Yes
Yes




Yes
Yes




Yes
Yes




Yes




Yes
Yes




Yes
Yes




Yes
Yes




No




No
Yes
Yes




Yes




No
Yes




No




No




Yes




No
No
No




No




Yes
Yes




Yes




Yes
Yes




Yes
Yes
Yes
Yes




No
No




Yes



Yes

No




Yes




Yes
Yes




Yes




Yes




No
Yes




No




No
No




Yes




Yes




Yes
Yes




Yes




No




Yes
Yes




No




No




Yes
Yes




Yes
No
Yes
No




Yes
Yes




Yes
No




Yes
Yes




No




Yes
Yes




Yes




Yes




Yes
No




No




No




Yes
No




Yes
No




Yes



No
No




Yes




No




Yes
Yes




No




No




Yes
Yes




No
Yes




No




Yes




No
No




No




Yes
Yes




Yes




Yes




No
Yes




Yes




No
Yes




No
Yes




No




Yes




No
Yes

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:55
posted:7/25/2012
language:
pages:570