Information security is a tough field to break into and a growing group of information security professionals are finding that it's a whole lot easier if someone has their backs.
A programme started in March called InfoSec Mentors has already paired more than 100 mentors and mentees who share their expertise on technology as well as broader issues such as how to define and achieve career goals, spread their ideas about the industry and overhaul their resumes.
"I wish there had been something like this when I was trying to make my start in the industry," says Melissa Fagan, who organised the programme after hearing a talk about the one-day mentor programme organised by Stacy Thayer held this spring at the Source Boston conference.
Since then she has driven InfoSec Mentors by soliciting participants and matching up more veteran professionals with relative newcomers or those who are looking for guidance in making career changes.
The group got a shot in the arm recently at the Security B-Sides conference in Las Vegas where 30 more people signed up for the programme, she says.
A survey of participants showed that 20% weren't making a productive connection with the mentor or mentee they were paired with. In those cases, Fagan finds them another partner. Mentors have backed out for a variety of reasons including insufficient time to devote and a mentee's interest in black-hat hacking.
Another 20% who said they were very satisfied were actively working on projects together such as resume tuning, starting up blogs or doing programming exercises. "Anyone who worked on a project was definitely satisfied," Fagan says.
The other 60% said it was too soon to declare the programme a success or failure because they hadn't done much yet, but they could see that it would be successful once the relationship kicked in, she says. So far everyone who has volunteered has been matched but there are no guarantees.
Jack Kowalsky, a mentee who has been doing DOS and Linux administrator work for the past six years, has been paired up with a Web application security professional, Dave Rook, in Ireland. They've corresponded about how Kowalsky can prepare himself for an infosec career and met in person for the first time at Security B-Sides.
They've authored blogs together about application security and discussed the practicalities of how Kowalsky can move more into that area. "I'd read and studied, but I really didn't know anyone who did this for a living," he says.
Scott Hazel is both a mentor and mentee. His mentor, Tom Eston, is an expert on security of social media. Eston helped Hazel set up a Web application testing lab where he hones his skills. "It helps to talk to someone," Hazel says. "Am I looking in the right areas that are relevant to the industry today? We talk about technical questions, but also step back asking, if I want to transition to that industry, what should I look for?"
On the flip side, Hazel is mentor to an Austrian focused on malware analysis and reverse engineering. "I share my expertise if I've got any in the particular area he's looking for," says Hazel, who has 10 years experience as a penetration tester and consultant. "He really was looking to talk to someone about how to advance in the security industry."
Michelle Klinger, a qualified security assessor from Dallas, says her relationship with a mentor is peer-to-peer and has already helped her rule out one career path. She considered consulting businesses to remediate problems QSAs found in corporate networks, but her mentor told her that would mean more time away from home than she was willing to spend. "We're still working on what the next plausible steps will be," she says.
Meanwhile, she's writing a blog that lets her air her thoughts about, among other things, how PCI standards might be improved. "I don't just want to say it's bad, I want to make it better," she says.
Her mentor has given her some creative assignments including watching the old Clint Eastwood movie "A Fistful of Dollars" with an eye toward discovering lessons it teaches about IT.
"I suspect he'll be able to help me negotiate the political part of the [infosec] community," she says, and that the relationship will last a long time. "I don't see it ending."