Presentation: From Developer to Security: How I Broke into Infosec

The focus of my work is Security Advocacy at Microsoft. One of the things that we want to do is make sure that we have really strong lines of communication at all levels of the security chain from the C level, CIO, CTO, all the way to the folks that are actually implementing the technologies, rolling up their sleeves and getting their hands dirty with protecting the networks their companies have. My role is to establish those lines of communication with security practitioners, bug hunters and researchers, making sure that the work that they're doing, the tools they are using, the methodologies that are there, that they're capitalizing on, all that stuff is brought back into Microsoft so that we have an understanding of the pulse of the community and that we're also engaging with them in a thoughtful way that supports them and helps them do their job more effectively.

I came from a software development background. I think I had almost 30 years of software development experience before I decided to transition over into security. One of the things that I saw was a need for knowledge and education for application developers across the board, whether you're web or desktop developer, and also just trying to help people who are interested in security and maybe even want to explore that as a career better understand how they can become involved whether it's as a hobbyist, whether it's as a professional. There's so many different routes and sometimes it feels like it's a bit overwhelming to get into the field because there's so many different areas. I hope to demystify that a little bit, offer my perspective on how I transitioned over and give some guidance to the audience so that if they do want to transition over into security they can understand where resources are to help them do that.

The target audience for this talk would be anybody who is interested in understanding how to get into security in some fashion. It doesn't matter whether they're an application developer or an I.T. admin or somebody who is working customer support. There's so many different roles that are applicable to information security and one of the things that I'm a big advocate for is helping people who come from nontraditional backgrounds transition into security. There's a gap of three million job opportunities for cybersecurity professionals and we can't just assume that a person who is going to security will have 20 years of networking experience, hardening systems and things like that. We have to look across a broad spectrum of people and try to find unique sets of talents that can fill those gaps. I like that type of audience. Audiences that are diverse and that want to explore security. So I think it's going to be a good talk for them.

The main thing I want them to walk away with is that they know there is a ton of opportunities in security regardless of where you're at right now. If you're in application development then clearly you know that application security is a hot topic now. And if you wanted to explore that, there's a tremendous demand for security professionals in the application security space. But beyond that, just because you're in software development doesn't mean that you can't explore other opportunities within security. There's open source intelligence, digital forensics and incident response. You have Red teamers, Blue Teamers, Purple teamers, so many different facets of security that might attract people and so I want them to know that, yes, you can do it. Yes, it will be hard work, it's not going to be something that people are going to hand to you and to be just an easy transition. But if I was able to do it, not having a formal security background, then you and the audience can do that as well.