My thoughts are that the best entry level position would probably be some sort of sysadmin role. If you are good at it, positions will open up soon enough.

Sysadmin roles also tend to hit upon a lot of different fields, and cover a lot of ground. A well rounded background seems fairly crucial to computer forensics.

But I've had people ask me similar questions before, and my first response if "what do you mean by 'security'? ". It's kind of like saying you want a job in performance or quality.

But you do say you are interested in computer forensics, which is a lot more focuses and specific. So thats a good start.

Unfortunately, I think the best background for computer security related work is just an extensive background in the field. But most of the folks I've dealt with in the field that seemed to know what they were doing (sadly, a small percentage of people involved) seemed to have come from a systems administrator or systems programmer background. Note that the higher levels of sysadmin starts blurring into systems programing pretty heavily.

I'd also suggest finding a open source project that is explicitly security oriented (firewall code, intrusion detection, crypto, authentication libraries, etc) and start contributing.

A good admin with reasonable programming skills and a keen sense of what "security" as a whole involves will be able to find a job just about anywhere.

I personally don't put any faith in certification programs when it comes to hiring people, but I may be in the minority on that.
posted by alikins at 11:20 AM on February 12, 2007 [1 favorite]

Find a Free Software project that needs your help. It's a good way to make connections and learn to work with people while accomplishing something that will do people good. Your age, lack of degree, lack of experience, etc., are irrelevant; only your skills are important.

The Economic impact of open source software on innovation and the competitiveness of the Information and Communication Technologies (ICT) sector in the EU report found that most firms said they would pay people with FLOSS (free/libre/open source software) experience but no formal degree the same as those with a formal degree but no experience. (big PDF, see page 66)
posted by putril at 11:51 AM on February 12, 2007

Get the degree. Your alternative is to get an entry-level MIS/admin job and work your way up, which would take more time and have a higher opportunity cost than finishing college, and probably be just as frustrating.

Also, you need a better story than "college just wasn't for me" when you talk to potential employers. Employers want to believe that you will be a stable long-term employee.

Agreed, especially for something as specialized and critical as security. This isn't a path you can short-cut.
posted by mkultra at 12:01 PM on February 12, 2007

alternatively, learn how to be a threat to computer security.

then when you get noticed by the cia/fbi/nsa, go to work for them! a win-win deal since that's all you really want anyway.

the whole get to the front door through the back door mentality.

in a socially-acceptable light, a while ago, the NSA was doing an internship program, that's where I would go with your background and interests. it would involve moving to virginia, but that's ok, eh?
posted by emptyinside at 12:29 PM on February 12, 2007

My son could be you. He's 20 and after two years of various tech this and that he's finally realized (after MUCH nagging) he's going to need to go to a good school to study with like minds.
I miss being young and naive.
I'll trade you (just kidding).
Oh and don't get married, you're too young.

scurries away
posted by bkiddo at 12:31 PM on February 12, 2007

Another way to anoint yourself as an expert in a niche subject like this is to become the goto guy for broadcast and print media on a given subject. Make your name as an "expert" in computer security, and pretty soon, that's what you become. It's imperative that you at least sound like you know what you're talking about, though.

You could start by creating a publicity kit, and then send it to local television and radio stations, and once you have a few successes there, you can farm yourself to the national and international news organizations.

Once you have those sort of credentials, you can probably maneuver yourself into the offices of the Fortune 500 fairly easily.
posted by Dave Faris at 12:52 PM on February 12, 2007

Kevin Mitnick's bio might give you some (not necessarily good) ideas.
posted by wackybrit at 1:08 PM on February 12, 2007

Another way to anoint yourself as an expert in a niche subject like this is to become the goto guy for broadcast and print media on a given subject. Make your name as an "expert" in computer security, and pretty soon, that's what you become. It's imperative that you at least sound like you know what you're talking about, though.

Contrary to what the entertainment industry would have you believe, it just doesn't work that way. You become the go-to guy because you're an established expert, not because you hand out a bunch of leaflets saying you are. Newspapers, magazines, and TV stations are (generally) not run by imbeciles who can't tell an industry veteran from a 19-year-old college dropout.
posted by mkultra at 1:09 PM on February 12, 2007

Are you refuting my advice on experience and knowledge, or is it more a gut feeling of yours? I mean, I've had a little experience in it. I've been interviewed on local news radio as a "computer expert" several times. (In my case, I got my foot in the door because I knew a reporter at the station.) And while I admit becoming one of those talking-head spokespersons on CNN is more than just a longshot, it's as valid as any of the other advice given here.
posted by Dave Faris at 1:29 PM on February 12, 2007

The only way I can see you pulling this off without going to school is by networking and doing jobs for people you know.

If you are good with computers you should be able to do some work fixing people's computers, but it's not at all a sure thing. I used to fix people's computers fairly regularly, but it was never even close enough to enough to live off of.

The only other front I could see you having any luck on is web design/development. There doesn't seem to be the same emphasis on formal education in that field as there is in the rest of software development. You should be able to pick up XHTML/CSS pretty quickly and then dig into the meatier stuff, namely javascript, PHP and/or perl, XML and databases (probably MySQL). Once you've got some confidence in your abilities, and an example site or two built, you can see if anyone you know needs some work done. For a simple site that doesn't really need to DO anything, just display some information XHTML and CSS will be enough. Once you've got some finished work, and references, to your name, things should get easier.

I don't think either of those are particularly good options though, just existent ones. I think they're both long shots at best, and if you're going to have to consider supporting a family any time soon, you should aim for stability instead.

It is possible to study computer/information systems security in university, and it is an active field of research. If that's what you're really interested in, then you should go back to school. I'm 20, and there were two main factors that led to me getting my current job. I'm in school (they would never have even looked at me if I wasn't), and I know the language that most of the company's software is written in. The school should also be able to help hook you up with a job, whether through a co-op program of some kind, working for a professor, or any industry contacts the school may have. Failing that, the simple fact that you're currently in school seems to make a big difference to employers.

Yeah, studying computer science might be a drag, but since you've got no experience, it's a hoop you're probably going to have to jump through to be taken seriously. Why? Until you've got the courses done to prove otherwise, you're just a dilettante, and nobody's going to want to take a chance on you.

Any certification that's worth getting would probably be pretty expensive and time consuming, at which point you'd probably be better off working toward a degree.

Whatever you decide to do, as someone who was in a similar situation (aside from the marriage thing) not long ago, I wish you the best of luck.
posted by benign at 1:31 PM on February 12, 2007

Are you refuting my advice on experience and knowledge, or is it more a gut feeling of yours?

The former. I have am friends with both journalists and people who actually make a living being SME's (subject matter experts). Being friends with someone on the inside will certainly open doors for you, but a couple radio appearances just aren't going to establish you as an expert, unless you're a "personality".

it's as valid as any of the other advice given here.

No, it's not. Stop being ridiculous. "Go back to college" is valid advice. "Start at the bottom" is valid advice. "Invent a persona as an expert" is not.
posted by mkultra at 1:48 PM on February 12, 2007

You could get some support/admin experience under your belt. Study for the CISSP. Maybe also the CCNA. Start applying for entry-level auditor positions at security companies after you've got a couple years of experience in IT.
posted by damn dirty ape at 2:03 PM on February 12, 2007

If you want to work in forensics, you're going to end up needing a four year degree. The sorts of companies that hire forensics experts tend to disqualify anyone who doesn't have one. It's not that the degree directly teaches you anything about the career, but the successful completion of a degree in any field shows some employers that you're a dedicated individual who can see something through to completion.

Yes, that's kind of lame, false logic, and yes, most of the smartest people in the computer industry don't have degrees -- but forensics is one of those fields that works more directly with people outside of the industry, who tend to be much less likely to even look at a resume that doesn't start (or end) with "B.A./B.S. in _____". (Though in reality, to get the best gigs, during the summer after your junior year, you'll find an internship, and hopefully you'll do a good enough job that they'll want to hire you when you graduate.)

Now, if you're interested in systems/network security, intrusion protection/detection and the like, then you should look for entry-level systems administrator jobs (and you should be looking for them in tech hotbeds like Silicon Valley and Boston -- anywhere else is likely to be career-limiting, and you might as well start your career and build your personal network in the best place to do so, since you're young enough to move somewhere easily). Virtually everyone who is a systems/network security practitioner started their career as a Junior Sysadmin, and worked their way up. It's a demanding, often thankless gig, filled with lots of frustration (see: alt.sysadmin.recovery), but if you can handle it (or love it) for 4-5 years, you'll find yourself extremely employable -- and ready to focus (professionally) on security, rather than just being a systems generalist with a lot of security clue.

There's a good reason that it takes years: security is hard, and it's holistic, and the best (possibly the only) way to get a holistic view of systems maintenance is to have a background in maintaining systems. It's one of the few careers that's still taught almost as an apprenticeship.

Lots of people know a little bit about how to secure a machine or even a network of machines -- and this is dangerous, because they (almost universally) think they know much more than they do. This is because security (much like systems maintenance) is not a set of practices or procedures, but a way of thinking. This is why certifications aren't very valuable -- they can only teach/test on practices and procedures.

Like Zen, there are no shortcuts to learning this way of thinking; it is something that you learn by doing it under the guidance of someone who has done it before you. It takes patience and dedication, and for the right people, it is extremely rewarding.

So either get yourself back to school and grunt through three more years of work that won't directly relate to your chosen career (but will help you get into the career), or go out and find yourself an entry-level gig and learn how real people run secure networks. Whatever you choose, stick with it for a few years.

And don't get married at 19/20, while trying to build a career and a family(!!). That's a recipe for disaster on all fronts. Why not just move in together (perhaps as part of your move to Boston or Silicon Valley)?
posted by toxic at 2:08 PM on February 12, 2007

One other good point for going to school to get a CS related degree. If you are good, theres a pretty decent chance you could end up working for the university doing IT type work.

I did this myself and found it to be very useful. Some of the best systems programmers I know also took this path. You get to stay in school, but also work on a big heterogeneous network with lots of machines where security issues of all sorts pop up on a daily basis. More than likely, you will learn a lot more applicable skills on the job, than from the school.
posted by alikins at 2:23 PM on February 12, 2007

alternatively, learn how to be a threat to computer security

This used to be good advice, back in the days where just having a computer and knowing how to connect it to other people's networks would label you as an enthusiast -- and when enthusiasts were hard to find.

Now, because everyone's mom has a computer with spyware loaded on it, being a security threat is more likely to land you in a Pound You In The Ass prison.

If you have so much as been investigated for a computer crime, you will have a hard time getting a security clearance. Without one, forget a forensics career.
posted by toxic at 2:54 PM on February 12, 2007

1. College degrees do matter. They do not matter to each person the same way (ie: some think it means ubersmarts, others think it's a display of tenacity) but they will unquestionably change the outcome of employment agreements. I've had people say they couldn't hire me due to lack of degree. HR departments, feh.

2. A+ (etc) are meaningless. The only certifications that carry any weight beyond mom and pop shops are from cisco and microsoft. You may scratch one of those off if you wish.

3. If you really, truly want to work your way up, you're probably going to have to start up in either dial-up tech support or a mom and pop shop that does contracts for local businesses. I've done both of these, and neither are particularly pleasant.

I completely agree with what alikins said. I never went to college, but I got contracted to help work on the ONU network in high school, and I learned a whole lot about how things worked in general. I also did all of this for high school credits, but i don't know if people still do things like this. Hell, they only did it back then because they didn't know what else to do with me.

(I got a few lucky breaks. YMMV)
posted by onedarkride at 2:58 PM on February 12, 2007

If college is not for you, (legal) computer-careers are not for you.
posted by phrontist at 4:40 PM on February 12, 2007

I know quite a few computer security people (gratuitous self linking). A degree is not important. It will however allow you to move about more freely, as getting visas and work permits becomes easier. What is important is doing real useful research. To do that you're going to need to work hard and study. Here are my suggestions for some things to work on.

1) Learn how to reverse engineer. Learn how to use IDA. Read everything Halvar, FX, Gera, The Gruq, and other luminaries in the field have written. Know x86 assembler inside and out.

2) Spend some serious time reverse engineering stuff. Start looking for 'sploits in software, cracking games and commercial software and disassembling malware and viruses. Write and publish at at least two or three 'sploits on bugtraq so that you have some credibility. Spend all your free time breaking software that isn't spent reading about how other people break software or talking to people who break software.

3) Find others to hang out with. If you publish cool 'sploits, you will eventually get invited to the cool IRC channels - there is no other way. Spend some time hanging out with the OpenBSD people looking for bugs and auditing their software. Lots of people I know in the antivirus industry spend/spent some of their time auditing OpenBSD. Start looking for bugs in Mozilla (Window Snyder, the CSO for Mozilla is well respected in the security community, so getting her attention by doing good work on a volunteer basis is a good strategic move). Find other open source projects around security to make a contribution to, and a name from.

4) Do research, publish papers, give talks. After some time doing lots of auditing and reversing you will begin to notice new types of bugs. You will develop your own way of doing things; your own toolkit. You will have your own advice for others on how to do what it is you do. Respond to our call for papers with a proposal. Do the same for BlackHat/Defcon, Schmoocon, Recon, Ruxcon, SSTIC, CCC, etc. Give good solid technical talks, without marketing or management bullshit. Talk to some publishers about maybe writing a book. Collaborate with others whenever possible.

Most of the people I know in the security field, especially the ones doing forensics/auditing/pentesting/vulnresearch started this way. Most of them are self taught; few have degrees.

If you post 5 solid exploits to bugtraq, you will get a job offer from someone. Keep in mind as well, that the going rate for 0-day remote root, browser or mail client exploits is between $10000 and $100000 on the open market.

Good luck, and remember... this shit is fucking cool
posted by mock at 5:02 PM on February 12, 2007 [6 favorites]

This thread is closed to new comments.