What is the most useful advice you have for future cybersecurity professionals?
Tactical76 is very correct. HOWEVER, security is often a make or break issue for companies, and breaches and successful attacks are reputationally devastating.
Security is more and more becoming THE issue. You will make mistakes. This is not about fair and balanced advice. Represent the risks accurately, and do not "go quietly into the night" unless and until you are sure that management has UNDERSTOOD the risks and accepted them. Terms have different meanings to different people. As an expert witness it has often been required to bring a judge or jury up to speed on terms that I use. But until they understand what I am offering, they cannot make a informed decision.
I get this question a lot.
Infosec is not a very good first stop for those new to technology. I always recommend IT/IS students to spend a couple years doing something else (appdev, sysops, networking, etc.) before circling back around to security. All practisioners have their strengths and without a good industry baseline, those strengths are hard to forge. That said, starting your career as, let's say, a Web developer and always incorporating OWASP Top 10 into your testing will make you a better developer and a huge asset to any team you join. There's a good chance after a year or two, they'll actually send you off for training to be their appsec person.
Be a part of the community. I worked in infosec for over a decade before taking part in community events. I went to small one-day conferences and such, but never the local meetups or week-long cons. My knowledge and local network for advice and reference improved drastically since becoming a part of the local scene. That led me to attend a few cons, where I got to meet people who are at the leading edge of security practisioners.
Say hi. A lot of us in cyber-security are kind of introverted. We get into our little circles of friends and end up staying there. We're pretty friendly, though. When you attend a social event, make it a point to meet 3-4 new people. Let them know you're new to the event and there's a good chance someone will take you around to meet people. Add the people you meet to your Twitter feed. You'll probably learn more there than anywhere else.
And when you do get into infosec, keep in mind that most people dislike us. You can change that perception. People see us as an obstacle to innovation, deadlines, and profit. A good infosec team is a resource to the different departments to improve their stability and long-term profitability. Sometimes we have to be the bad guys, but that's just so the real bad guys don't pwn us and our customers.
Not sure where to start as this is a huge area to cover and may differ if you are working in an organization (end user) or a consulting company;
If you are working in a company and need to
A) Convince your boss:
B) To team mates, staffs and everyone else:
C) And as for oneself:
1) Get experience by building your own lab. Insecure.org has lots of free tools.
2) Do not become the Department of No. The biggest knock on INFOSEC community is that we are the people that will always tell you no. We need to learn that the customer has a need and they do not know the best way to secure it. That is our job to help the find a solution that reduces the risk to an acceptable level to the executives.
3) Look for things that are not being done. I got into INFOSEC because I was changing tapes on out backup server 14 years ago and noticed that it had an anti-virus console on it. I asked my boss who was monitoring it daily and she said "No one." I asked if I could do that and she said yes. I kept looking for duties I could add to my resume. This allowed me to gain experience in many of the domains.
4) Security podcasts. Use your downtime to listen to them. I used to have an hour and a half commute. Security podcasts kept me company and informed the whole time. I used "dead" time as training time. Some of my favorites are:
Paul's Security Weekly
The Social-Engineer Podcast
SANS Internet Storm Center
A few things to keep in mind:
Don't expect 6 figures after getting your CISSP. If you are one of the lucky ones to land a six figure salary after getting one certification, good for you, you won the lottery.
I have mentored several folks and all but one of them lacked the delusion of making a hefty salary. A career in Cyber Security will definitely command an excellent salary for years to come and if you focus your efforts on cloud services and or white hat practices, we are going to need more folks like you.
Just be patient and stay the course, the salary will find you if you love what you do.
The most important advice is this:
FIND WHAT YOU LOVE TO DO.
If cyber security is not your passion and you got into it because you thought the money would be good, you are setting yourself up for a miserable experience. Find what you really love to do. The money will find you.