Our current best guess is that people who are interested should consider seeking security training in a top team in industry, such as by working on security at Google or another major tech company, or maybe in relevant roles in government (such as in the NSA or GCHQ). Some large security companies and government entities offer graduate training for people with a technical background. However, note that people we’ve discussed this with have had differing views on this topic.
This is a big area of uncertainty for me. I agree that Google & other top companies would be quite valuable, but I’m much less convinced that government work will be as good. At high levels of the NSA, CIA, military intelligence, etc. I expect it be, but for someone getting early experience, it’s less obvious. Government positions are probably going to be less flexible / more constrained in the types of problems to work on and have less quality mentorship opportunities at the lower levels. Startups can be good if they startups value security (Reserve was great for me because I got to actually be in charge of security for the whole company & learn how to get people to use good practices), but most startups do not value security, so I wouldn’t recommend working for a startup unless they showed strong signs of valuing security.
My guess is that the important factors are roughly:
Good technical mentorship—While I expect this to be better than average at the big tech companies, it isn’t guaranteed.
Experience responding to real threats (i.e., a company that has enough attack surface and active threats to get a good sense of what real attacks look like)
Red team experience, as there is no substitute for actually learning how to attack a system
Working with non-security & non-technical people to implement security controls. I think most of the opportunities described in this post will require this kind of experience. Some technical security roles in big companies do not require this, since there is enough specialization that vulnerability remediation can happen via other companies.
I think working at a top security company could be a way to gain a lot of otherwise hard to get experience. Trail of bits, NCC Group, FireEye are a few that come to mind.
This all sounds right to me, though I think some people have different views, and I’m hardly an expert. Speaking for myself at least, the things you point to are roughly why I wanted the “maybe” in front of “relevant roles in government.” Though one added benefit of doing security in government is that, at least if you get a strong security clearance, you might learn classified helpful things about e.g. repelling state-originating APTs.
An additional point is that “relevant roles in government” should probably mean contracting work as well. So it’s possible to go work for Raytheon, get a security clearance, and do cybersecurity work for government (and that pays significantly better!)
This is a big area of uncertainty for me. I agree that Google & other top companies would be quite valuable, but I’m much less convinced that government work will be as good. At high levels of the NSA, CIA, military intelligence, etc. I expect it be, but for someone getting early experience, it’s less obvious. Government positions are probably going to be less flexible / more constrained in the types of problems to work on and have less quality mentorship opportunities at the lower levels. Startups can be good if they startups value security (Reserve was great for me because I got to actually be in charge of security for the whole company & learn how to get people to use good practices), but most startups do not value security, so I wouldn’t recommend working for a startup unless they showed strong signs of valuing security.
My guess is that the important factors are roughly:
Good technical mentorship—While I expect this to be better than average at the big tech companies, it isn’t guaranteed.
Experience responding to real threats (i.e., a company that has enough attack surface and active threats to get a good sense of what real attacks look like)
Red team experience, as there is no substitute for actually learning how to attack a system
Working with non-security & non-technical people to implement security controls. I think most of the opportunities described in this post will require this kind of experience. Some technical security roles in big companies do not require this, since there is enough specialization that vulnerability remediation can happen via other companies.
I think working at a top security company could be a way to gain a lot of otherwise hard to get experience. Trail of bits, NCC Group, FireEye are a few that come to mind.
This all sounds right to me, though I think some people have different views, and I’m hardly an expert. Speaking for myself at least, the things you point to are roughly why I wanted the “maybe” in front of “relevant roles in government.” Though one added benefit of doing security in government is that, at least if you get a strong security clearance, you might learn classified helpful things about e.g. repelling state-originating APTs.
An additional point is that “relevant roles in government” should probably mean contracting work as well. So it’s possible to go work for Raytheon, get a security clearance, and do cybersecurity work for government (and that pays significantly better!)