How to become an information security professional
Introduction
Information security is not only a growing field, but one in which there is a tremendous need for knowledgeable talent. Our society has become more dangerous and complex, with consuming simple online services putting our personal security at risk. In view of this, many companies and government agencies are searching for individuals that can protect their interests from these growing risks.
Some forward-thinking individuals have seen this trend and recognize many opportunities in the information security field. Many people are now interested in finding out how they can enter the field; however, understanding which training path to take can be very difficult. And there are others already working in the IT field who simply want to change careers or become more proficient in information security.
What should you learn next?
I’ve been asked the same question by many people trying to break into the industry. All of them seem to have one thing in common: thinking that gaining a special certification will immediately catapult them into being a “qualified security professional.” While certain certifications are useful, they are not the only thing that needs to be considered. This brings me to my first suggestion for those wanting to make this a career …
Develop the security mindset
This step is probably the most difficult, but it is the most important. Without having the security mindset, you will not be effective at your work and you will overlook hidden threats. This step involves being able to think outside of “expected behaviors,” as this is where most threats will lurk.
How can you develop a security mindset? Considering unexpected behavior includes becoming accustomed to looking at scenarios from many different angles. Get used to seeking accurate detail and don’t be satisfied with surface answers. If you do not thoroughly understand something from start to finish, keep asking questions until your doubts are resolved and your knowledge is as complete as possible.
Also keep in mind that since you are trying to consider the unexpected, there will be many times when your concerns will be viewed as paranoid, excessive or ridiculous. Remember, however, that all throughout history any preparations for unprecedented events were always viewed as foolish … until the event actually occurred.
Speaking with individuals that are already in this field and reading selected books on the topic can be a great aid to developing this type of thinking.
As a security professional, conducting thorough research will help you create logical and reasonable arguments to reinforce your concerns. Once equipped with this information, be prepared to stand your ground!
Identify your path
Once you start understanding how to think like a security pro, you’ll need to identify with which aspect of security you’d like to be involved with. There are many paths you can take. They include:
Ethical hacker/penetration tester
These security reps are individuals who work to find weaknesses in computer programs and computer networks. This type of work is very detail-oriented and requires the practitioner to be very skilled in networking, some aspects of programming and protocol analysis. They must also have a deep system-level understanding of computers, servers, network devices and security controls.
Auditing/compliance
This type of work involves reviewing the administrative and technical controls around networks and computer systems storing an organization’s data. This also includes the review and examination of documentation such as policies and compares these against industry best practices. Based on the results, the auditor will recommend certain changes or enhancements to improve the security posture of the client.
A compliance role will involve similar work but will compare findings against specific standards (government or industry standards) and then make recommendations for changes or enhancements to ensure compliance with the standards involved. This type of work requires a deep understanding of the technology along with a very clear knowledge of security best practices, compliance standards and how to apply them to daily scenarios.
Forensic consultant/investigations
Forensics involves retrieving information from computer systems as part of investigations into malicious or criminal activity. This can include finding evidence to support claims of data theft, breaches due to hacker activity and illegal content stored on computer systems. This requires special training to understand the software used in this work and the correct retrieval techniques required to protect the integrity of any evidence for use in a court of law.
Security architect
The practitioner is responsible for designing and building security solutions for computers and networks. This requires a very deep understanding of networking, computer technology, protocols and diverse technology.
IT security engineer
Among other duties, a security engineer is tasked with the daily operations of protecting an organization from threats or direct attacks. They work to implement needed security controls and participate in investigations resulting from attempted breaches. This role requires close attention to detail, deep understanding of computer and network technology, protocol analysis and incident response experience.
Get trained
Once you’ve identified your chosen career path, you can start to look for appropriate training to help you develop your skills in that area. Where can you find training? Before you start investing large sums of cash into different courses, try exploring free online training programs.
While your training will have much further to go, there are options to give you a basic start in the industry. By enrolling in a course, you will be exposed to core security or technology concepts that you can use as building blocks to help you get to the next step in your career path.
As you learn, never forget to make connections and ask questions. Doing so will allow you to connect with other talented individuals that are already in the field or may have made progress from which you can learn.
Get certified
Once you’ve received training, you can identify a certification that will assist you with finding employment in that area. While not exhaustive, the following list are worthwhile credentials to obtain:
CISSP — Certified Information Systems Security Professional
This certification has pretty much become a default for anyone wanting to demonstrate security knowledge and serious commitment to the occupation. While this certification does not necessarily confirm an individual’s technical knowledge, it does show that the candidate understands a wide range of basic-to-advanced security topics.
You might consider this certification similar to a driver’s license. It does not reflect the person’s driving style or abilities, but it does show that a person understands traffic laws and has passed a road test.
GIAC®️ certifications
These certifications are very valuable in the industry. The training that a person is required to complete is very thorough and exposes the candidate to the application of security methods in real-world scenarios. The tests for these certifications are not trivial, and an individual must demonstrate a high level of technical knowledge.
CISCO certification
The CCIE Security credential is very valuable and only attainable for highly-skilled individuals. This certification focuses on the ability to troubleshoot advanced security solutions and apply these controls to the components of a complex computer network. This certification demonstrates a person’s abilities, since the candidate must not only pass a written exam but also pass a hands-on timed lab where their networking and troubleshooting skills will be put to the test.
What should you learn next?
Conclusion
With a field as diverse and ever-changing as information security, there is much more information to learn and consider. However, this small list of items can help point you in the right direction if you’re planning to make infosec a career!
In this Series
- How to become an information security professional
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity