Information security is not only a growing field, but one in which there is a tremendous need for knowledgeable talent. Our society has become more dangerous and complex, with consuming simple online services putting our personal security at risk. In view of this, many companies and government agencies are searching for individuals that can protect their interests from these growing risks.
Some forward-thinking individuals have seen this trend and recognize many opportunities in the information security field. Many people are now interested in finding out how they can enter the field; however, understanding which training path to take can be very difficult. And there are others already working in the IT field who simply want to change careers or become more proficient in information security.
I’ve been asked the same question by many people trying to break into the industry. All of them seem to have one thing in common: thinking that gaining a special certification will immediately catapult them into being a “qualified security professional.” While certain certifications are useful, they are not the only thing that needs to be considered. This brings me to my first suggestion for those wanting to make this a career …
Develop the security mindset
This step is probably the most difficult, but it is the most important. Without having the security mindset, you will not be effective at your work and you will overlook hidden threats. This step involves being able to think outside of “expected behaviors,” as this is where most threats will lurk.
How can you develop a security mindset? Considering unexpected behavior includes becoming accustomed to looking at scenarios from many different angles. Get used to seeking accurate detail and don’t be satisfied with surface answers. If you do not thoroughly understand something from start to finish, keep asking questions until your doubts are resolved and your knowledge is as complete as possible.
Also keep in mind that since you are trying to consider the unexpected, there will be many times when your concerns will be viewed as paranoid, excessive or ridiculous. Remember, however, that all throughout history any preparations for unprecedented events were always viewed as foolish … until the event actually occurred.
Speaking with individuals that are already in this field and reading selected books on the topic can be a great aid to developing this type of thinking.
As a security professional, conducting thorough research will help you create logical and reasonable arguments to reinforce your concerns. Once equipped with this information, be prepared to stand your ground!
Identify your path
Once you start understanding how to think like a security pro, you’ll need to identify with which aspect of security you’d like to be involved with. There are many paths you can take. They include:
Ethical hacker/penetration tester
These security reps are individuals who work to find weaknesses in computer programs and computer networks. This type of work is very detail-oriented and requires the practitioner to be very skilled in networking, some aspects of programming and protocol analysis. They must also have a deep system-level understanding of computers, servers, network devices and security controls.
This type of work involves reviewing the administrative and technical controls around networks and computer systems storing an organization’s data. This also includes the review and examination of documentation such as policies and compares these against industry best practices. Based on the results, the auditor will recommend certain changes or enhancements to improve the security posture of the client.
A compliance role will involve similar work but will compare findings against specific standards (government or industry standards) and then make recommendations for changes or enhancements to ensure compliance with the standards involved. This type of work requires a deep understanding of the technology along with a very clear knowledge of security best practices, compliance standards and how to apply them to daily scenarios.
Forensics involves retrieving information from computer systems as part of investigations into malicious or criminal activity. This can include finding evidence to support claims of data theft, breaches due to hacker activity and illegal content stored on computer systems. This requires special training to understand the software used in this work and the correct retrieval techniques required to protect the integrity of any evidence for use in a court of law.
The practitioner is responsible for designing and building security solutions for computers and networks. This requires a very deep understanding of networking, computer technology, protocols and diverse technology.
IT security engineer
Among other duties, a security engineer is tasked with the daily operations of protecting an organization from threats or direct attacks. They work to implement needed security controls and participate in investigations resulting from attempted breaches. This role requires close attention to detail, deep understanding of computer and network technology, protocol analysis and incident response experience.
Once you’ve identified your chosen career path, you can start to look for appropriate training to help you develop your skills in that area. Where can you find training? Before you start investing large sums of cash into different courses, try exploring free online training programs.
While your training will have much further to go, there are options to give you a basic start in the industry. By enrolling in a course, you will be exposed to core security or technology concepts that you can use as building blocks to help you get to the next step in your career path.
As you learn, never forget to make connections and ask questions. Doing so will allow you to connect with other talented individuals that are already in the field or may have made progress from which you can learn.
Once you’ve received training, you can identify a certification that will assist you with finding employment in that area. While not exhaustive, the following list are worthwhile credentials to obtain:
CISSP — Certified Information Systems Security Professional
This certification has pretty much become a default for anyone wanting to demonstrate security knowledge and serious commitment to the occupation. While this certification does not necessarily confirm an individual’s technical knowledge, it does show that the candidate understands a wide range of basic-to-advanced security topics.
You might consider this certification similar to a driver’s license. It does not reflect the person’s driving style or abilities, but it does show that a person understands traffic laws and has passed a road test.
These certifications are very valuable in the industry. The training that a person is required to complete is very thorough and exposes the candidate to the application of security methods in real-world scenarios. The tests for these certifications are not trivial, and an individual must demonstrate a high level of technical knowledge.
The CCIE Security credential is very valuable and only attainable for highly-skilled individuals. This certification focuses on the ability to troubleshoot advanced security solutions and apply these controls to the components of a complex computer network. This certification demonstrates a person’s abilities, since the candidate must not only pass a written exam but also pass a hands-on timed lab where their networking and troubleshooting skills will be put to the test.
With a field as diverse and ever-changing as information security, there is much more information to learn and consider. However, this small list of items can help point you in the right direction if you’re planning to make infosec a career!