Hey #infosec n00bs!!

One of the worst habits we have in security is speaking in absolutes. Saying things like "Unhackable", "Breachproof", "Fully Secure", "No Risk". They're simply untrue.

But this also includes when we talk about skillsets. There are no absolutes.

So when someone says, "You must know x, y, z" or "You have to do a, b, c" to get a certain job (or any job) in security, you can simply toss out those absolutes in with all the other fallacious absolutisms that security people throw around. Simply ignore them.

The reality is we need people of all different skillsets, all different backgrounds, and with all different perspectives in order to be successful. Security is about problem solving and problem solving is strongest when different viewpoints collaborate.

Even within a specific security domain, job class, or title, we need that diversity of thought, skillset, perspective, etc. in order to thrive. You'll notice that job descriptions, as awful as they can be, do bear this out. Requirements for the same title will vary by org.

Sure, there will always be skills, experience, etc. that might make the job easier, different, etc. but that doesn't mean they're required or that you need them to be good at that job.

Anyone who says otherwise is misleading you. Again, consider the source carefully.

And if you doubt my expertise on this subject, feel free to ask me about how I've gone from a hacker at 12 years old to a security executive at 44.

Or ask around to other infosec people and pay attention to how many will agree with the above points.

What I'm saying is, study what you're interested in. Play around with the technologies you find fascinating. Develop the technical security skills that you find most intriguing. We'll have a place for you no matter what you choose and we want you here!!!


• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Alyssa Miller 👑 Duchess of Hackington

Alyssa Miller 👑 Duchess of Hackington Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AlyssaM_InfoSec

6 Nov
Let's talk job offer negotiation, a 🧵.

If you've heard my talks on this, you know I'm a huge advocate for knowing your worth, getting paid, and asking for what you need.

Recruiters and hiring managers expect it, they're not going to rescind an offer if you ask for more 💰

However, you also have to know what can and cannot be negotiated and remember it's a negotiation not a demand letter.

Salary, bonus, time-off, flexible work/wfh, signing bonuses, title

These are things that can typically be negotiated to varying degrees.

Health/Dental coverage, retirement plans, other corporate benefits and all their associated costs and provisions

These are things that are pretty universal across the org, only get setup once per year, and most often cannot be negotiated.

Read 8 tweets
4 Nov
As more job descriptions are including pay range, you as a job seeker need to understand how those ranges actually work.

You might look at a range of $110K-155K and say, well I'll take $155K thanks! However, that might not always be the right approach.

Unfortunately, most orgs only train managers (and sometimes not even them) on how these ranges work. Typically, there is a high, low, and midpoint.

The high-level goal is to bring people who are below the mid-point for a role, up to that mid-point.

This happens through good performance appraisals that drive good raises and up they float. For those who've now moved beyond the mid-point, that's a sign to their leader that they should be about ready for next level up (i.e. a promotion), so those conversations start.

Read 9 tweets
22 Oct
A 🧵 about tech interviews:

The technical interview is one of the most contentious aspects of the recruiting process IMHO. Hiring managers and orgs don't always handle it well and candidates get beat up with anxiety from the process. So how do we make it better?

When I interviewed for my role at @Snyksec, I thought I bombed my tech interview. Benji asked me a couple questions about concepts I had never heard of before.

I admitted I didn't know the answer, but then shared a bit of logical deduction based on the terms as to what

I thought they may mean. I was sure I had really messed up. However, I got an offer and shortly after I started I found out he thought I did very well and actually had recommended hiring me based off the interview. He told me he liked how I thought about things and that I was

Read 9 tweets
24 Jun
So I really want @ECCouncil to understand the damage they've done (a thread):

1. People who proudly achieved certifications are now disavowing and not renewing those certifications because of the shady practices of the org that provided those certs. All that hard work, lost.
2. People who won awards from your org are now renouncing those awards because they don't want to be associated with the practices of a company like @ECCouncil. These were accomplishments they should be able to be proud of that you've ruined.
3. Organizations and universities who've built educational programs and partnerships are being forced to review and potentially change their entire approach because they can't count on the integrity of @ECCouncil's materials.
Read 12 tweets
23 Jun
So I want to make clear just how trivial it was to find repeated cases of plagiarism in the EC-Council blogs. All it took was going to recent blogs, finding a few key terms in the content and then Googling for those terms. Literally that's it. #ECCPlagiarism

With less than 30 minutes of work, I was able to easily locate the original works that were leveraged to craft two of their blogs. That time included verifying the content matched, taking screen shots, confirming the blog was cached at archive.org and posting

the details.

So consider this as you hear @ECCOUNCIL claiming that they tried to prevent plagiarism. No more than 5-10 minutes of human effort per blog and they could have avoided this mess. One has to question, since they didn't, did they really even care?

Read 5 tweets
23 Jun
OK my last tweet (ok a thread) on the whole EC-Council fiasco for the night. They've shut down their blog and someone already congratulated me.

Let me be clear, I am not happy and I am not celebrating. This is not a win. There are only losers here. EC-Council loses for

1/ Image
the obvious reasons.

However, our community loses as well. This whole thing sows distrust between practitioners and all of the educational and certification orgs we place our trust in.

Content creators lose as we realize we have to take exceptional measures to protect

our works and their copyrights.

Ultimately, I hate this whole thing. I hate that it has robbed us all of so much. I hate that the effort I put into helping EC-Council in April turned out to be a waste.

I don't know where this is headed next, but no, I am not celebrating

Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!