Everything in IT is constantly changing, and it is exactly the same within infosec. Whether working as a penetration tester, a social engineer, a hardware hacker, or even as somebody defending your company servers against tyrants of people trying to hack in. It doesn't change the fact that the field is constantly changing.
But this constant advancement is a double-edged sword, making people need to constantly strive to learn new things, but at the same time making it
Since technology is constantly changing it means that there are many companies still with legacy systems, meaning you need to know not only the new exploits, and architectures coming in, and the ever-growing scope of attack, but the old systems that still plague offices (and banks and supermarkets and bedrooms and ....) all over the world.
Even if you're not a vulnerability researcher, and are just somebody who dips their toes in a bit of everything in infosec, you may not need to know how things work down to the bit-level, but you still need to constantly keep up. You need to keep pushing yourself to keep learning, and that's something that people in information security all have in common. The curiosity that they want to know. They want to keep learning, want to keep reading blog posts, and whitepapers, listening to podcasts. They want to know why something works, and how it does it, and then how to break it.
But this can also make it very difficult for people trying to get into the industry.
- To me, there are 3 kinds of people wanting to get into infosec: The people coming straight from university (like myself), who have become really interested in computer security,
- Those coming from another department of IT, that want to move into security
- Those who are neither, more often younger people who didn't get to go to university, and might have a low level job in IT, or no job at all.
The first category, of being a student, or somebody younger who have become really interested in the infosec industry and want to learn more and more about it, and then, obviously try to make it a profession.
The biggest problem here is experience. Since they won't have as much experience as somebody who has been working with technology day-in, day-out, it makes it feel as if there is a huge amount to catch up on before they have even started. They might not have administered lots of different servers over many years, they won't necessarily know about certain configuration problems, or what certain errors mean, and these are mainly small things, but a lot of them can add up, but is all this just to say that they are no good? Of course not, it would be stupid to dismiss somebody as they haven't been working in IT for years.
The second way I think of getting into infosec, I believe the more common way, is to come from somewhere else in IT.
But this also brings with it a disadvantage, in that, a lot of jobs in IT may not have the same growth and may not move as fast infosec, so the people coming from these areas may not be used to the pace and it could come as a shock to the system to have such an overload of information.
And the last option is somebody who has just become really enthusiastic about security (I'm not including script kiddies who are just going through a phase), but again don't have the experience, and may not have the qualifications to get their resume past the HR department, but just because they don't, who is to say they cannot make it? I would rather talk to somebody enthusiastic about security that sees it as a way of life, who wants the constant learning, than say a master's student straight out of university who doesn't care about it and just wants it as a job.
But either way, there is the HUGE problem of having to learn the stuff that everyone in infosec already knows, while at the same time trying to learn everything that is currently coming out, and I think this may be putting people off and not allowing people into the industry.
Either way, I believe getting into security is really challenging, let alone staying there, and more importantly wanting to stay in the industry.