Career In Infosec

This presentation, delivered at c0c0n 2023, provides comprehensive career guidance for individuals interested in entering or growing within the information security field. Anant Shrivastava covers the distinction between infosec and hacking, maps the breadth of security domains and roles, offers practical advice on skill development, certifications, resume building, online presence, and navigates the choices between startups versus corporates, employment versus entrepreneurship, and managing finances in a high-paying but volatile industry.

Key Topics Covered

Infosec Is Not Hacking:

• Information security is a professional discipline focused on securing enterprises and businesses — keeping bad actors out, letting trusted users in, and enforcing authorized access
• Hacking is about exploring systems and finding the unknown — it is a passion, not a profession
• Conflating the two leads to misaligned career expectations and hiring mismatches

Domains of Information Security:

• Eight core domains aligned with CISSP framework: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management (IAM), Security Assessment and Testing, Security Operations, and Software Development Security
• The cybersecurity map reference illustrating the vast landscape of specializations within these domains

Role Types — Offensive and Defensive:

• Offensive roles: Penetration Tester, Red Teamer, Exploit Developer, Malware Analyst, Vulnerability Assessment Analyst
• Defensive roles: Secure Developer, Product Security Engineer, Blue/Purple Teamer, Incident Response Team, Server Administrator, DevOps/DevSecOps professionals, Forensic Investigator, Auditor, Technical Writer
• The field offers far more defensive positions than offensive, yet offensive roles receive disproportionate attention

How to Gain Knowledge:

• Five-stage approach: upskill yourself using resources, read what others are doing, follow knowledge-sharing practitioners, participate in communities and events, and practice consistently
• Practice framework: set up your own lab environment, write about what you learn, talk about what you learn, and present about what you learn

Communities and Events (India-specific):

• Communities: Null Community (null.community), OWASP chapters
• Paid conferences: c0c0n, Nullcon
• Regional events: BSides chapters, DEFCON groups

Upskilling Priorities:

• The IT world is moving toward “as a code” paradigms — programming is a necessary skill
• Key areas: Automation (Ansible, Terraform), Programming (Go, Rust), Scripting (Python, Bash)
• Earlier acceptance of programming as essential leads to better career outcomes

Higher Studies vs. Experience:

• Academia: focuses on getting basics right (Bachelors/Masters) and thinking far ahead of commercial needs (PhD)
• Commercial world: provides implementational exposure and practical skills
• Align your choice with whether you want to explore the future (academia) or implement solutions now (industry)

Certifications — A Pragmatic View:

• Certifications prove you could solve a specific set of problems at a specific point in time
• They serve as checkboxes — humans naturally find the shortest path to pass
• Two valid reasons: clearing HR screening filters and accelerated learning when company-sponsored
• Certifications alone do not define competence

Resume Tips:

• General: use simple words, be concise (1 page for 0–2 years, 2 pages for 2–10 years, 3+ only for executives), reduce past experiences to 1–2 liners, emphasize impact over job activities
• Your resume drives the interview — include only items you want to discuss and that demonstrate specific capabilities
• Items to avoid: club memberships, attendance/participation entries (speaker roles are fine), photographs, certificate logos, fancy graphics, and irrelevant hobby achievements

Online Presence:

• Curate your online presence proactively or social platforms will curate it for you
• Associate your professional identity with your own domain, not Gmail or Outlook
• Minimum setup: build your own website, host a blog (write about whatever you learn), and host your resume on it

Startups vs. Corporates:

• Startups: chaos, unorganized, fast-moving, more individual power — essentially PoC builders for the corporate world
• Corporates: processes, organization, brand value, stability
• Startups offset uncertainty (closure, buyout, acquisition) with high compensation — this is golden handcuffs, not your true market value
• Neither is inherently better; decide based on understanding the differences

Entrepreneurship vs. Employment:

• Entrepreneurship is 5–10% tech and the rest is finance, HR, marketing, sales, customer interaction, and everything else including janitorial duties
• Employment provides fixed targets, someone else to blame when things go wrong, and paycheck assurance
• Anyone claiming you can avoid the non-tech aspects of entrepreneurship is misleading you

Financial Planning:

• IT security is among the highest-paying fields in India, but this should not be taken for granted
• Prepare a financial plan: know your expenses, understand runway money and financial independence
• Recommended reading: “Let’s Talk Money” by Monika Halan and “The Psychology of Money” by Morgan Housel

Practice Resources:

• Platforms: VulnHub, PwnedLabs, Hack The Box, TryHackMe, hacker.org, SadServers (defensive), Google Summer of Code (long-term paid projects)
• Free resources: GitHub Student Pack, Packt free daily ebook, free-for.dev developer resources

Actionable Takeaways

1. Understand the breadth of information security beyond pentesting — explore the eight CISSP domains and defensive roles to find the best fit for your skills and interests.
2. Invest in programming skills early (Python, Go, Bash, Ansible, Terraform) — the industry is moving decisively toward “as a code” paradigms, and scripting/automation capability is becoming non-negotiable.
3. Build your practice framework: set up a home lab, document your learning through writing, and progress to presenting your knowledge — each stage deepens understanding and builds professional visibility.
4. Approach certifications pragmatically — use them to clear HR filters and for structured learning, but do not treat them as the primary measure of your competence.
5. Craft your resume to highlight impact over activities, keep it concise for your experience level, and include only items you are prepared to discuss in depth during interviews.
6. Establish an independent online presence with your own domain, blog, and hosted resume — do not let social media platforms define your professional identity.
7. Make career structure decisions (startup vs. corporate, employment vs. entrepreneurship) based on an honest assessment of the trade-offs, and develop a financial plan that accounts for the volatility in compensation across different career paths.