One of the things I like about computer security is how uncredentialed the whole field is. Very few senior computer security people started their careers in the field. One of the best I knew started her career as a nurse; others as cops; a few as lawyers. Some even started in computer science. But this is a field where academic institutions have not yet established a monopoly on entrance.

If that’s so, with jobs as scarce as they are, and security as bad as it is, shouldn’t we see a mass movement toward computer security work? We should. But the very lack of established credentialing channels that I find so refreshing leaves students who only know the credentialing world a little confused. How do they break into the field?

Well, luckily, Brian Krebs is riding to their rescue, with what looks to be a very interesting series of interviews of computer security gurus about how to get started in the field. His first interview, with Thomas Ptacek of Matasano Security, has some daunting and some very practical advice. On the daunting side, he quite properly suggests learning to code: “No one factor gives you as much control over your career, as much of an ability to write your own ticket, as the ability to solve problems using programming languages.” On the practical side, he offers tips on how to slide into security from some other IT job:

  • If you’re already in an IT role, and want to come up on the defensive side of appsec, try to position yourself near custom software development. Most large firms build “line of business” applications. As a rule, building “line of business” isn’t particularly fun. But defending those apps can be; sometimes, the most boring applications turn out to be surprisingly sensitive.
  • And the good news for doing appsec in BigCo’s: most companies have very immature security programs. If you can get a role in QA, or in what the cool kids are calling “DevOps”, you can end up with a lot of influence in security.

If you’re looking for a career in computer security, you should read the whole thing — and sign up for the series.