7 steps to building a successful career in information security
The number of information security jobs is continuing to grow as businesses scramble to hire skilled professionals to protect their data. Some researchers predict there are over 3 million such jobs available in 2021. With this kind of demand, matched by sizable paychecks, it's no wonder more and more people are considering it as a career option.
In this article, we discuss the steps you should take to start and build a successful career in information security.
What should you learn next?
1. Work out if it's right for you
You can enter the field from school, college, from another tech discipline or, with enough planning, persistence and personal development, from an unrelated discipline. But before you start the journey, you need to make sure it's a good fit. You'll need passion to make a success of it, so don't just follow the paycheck.
While there isn't a formula, common character traits of successful information security practitioners include being analytical, persistent, curious and perceptive. They like solving problems and have an engineering mindset: they revel in details, want to know how things work and enjoy the challenge of fixing them when they break.
Soft skills become more important as your career develops. But because threats and breaches often impact different areas of an organization, you must be a good communicator – able to talk in business not just technical language – and an active and positive team player.
You'll also need to work out-of-hours on self-development since the threat landscape and response tools change so often that it's difficult to commit enough time during the workday to keep on top of the latest information.
2. Narrow down your options
The days of the "security expert," who knows about everything, are over. The focus is now on niche specialists. These days, you can specialize in areas such as web application security, forensics, compliance/risk management, auditing, network security and identity management. You'll find a good list of roles here.
Choosing a specialty won't stop you from moving to another later in your career, but in the early days, it's best to pick an area that has a buoyant job market and that serves as a cornerstone for future career development.
Search current hot topics and find out what commentators and practitioners are tipping as future market trends. No one can predict what will happen for sure, but it will help shape your career plan.
Remember, there are employment opportunities in the private and public sectors. Although many of the roles and skills are the same, the characteristics of each are different.
Some people intuitively don't want to work for the government, while others see it as a high-profile employer and a relatively safe long-term career option. As for the private sector, you might get more variety, but working for an information security service provider also means you quickly tire of airport lounges. Each option has ups and downs, and not every path will suit everyone.
3. Self-development can get you a long way fast
To defend something from attack, you need a good grasp of how it works. To understand or prevent network intrusions or attacks, you need to understand network architecture, and to help address system compromises, you need to understand system architecture and programming basics.
So before you wade too deeply into security matters, make sure you know the technology.
Beyond the huge number of sites with free resources, including from Infosec, there are specialist information security books and conferences such as the big annual events like Black Hat, DEF CON and RSA, and a host of smaller, local events that are often free and a great networking opportunity.
Social media - Reddit, Stackexchange or the many groups on Twitter and Facebook – has endless tips and guides, and lets you keep track of hot topics and job opportunities.
Get practical experience applying what you learn
Information security is a good example of a career where experience counts for more than formal education. Every job, even entry-level, asks for some experience as a prerequisite for an interview, so get as much of it as you can.
Many practitioners have their own lab setup. Aside from adding to your IT knowledge as you build and maintain it, a lab means you can exercise different security scenarios without bringing someone's system down. It used to be expensive to buy the software and hardware and energy-hungry to operate, but now you can hire most things from cloud-based suppliers.
Hackathons, capture-the-flag exercises or hacker playgrounds are a good way to try out your skills for real. Once you're a step further on, you can find software bugs for vendors and earn in the process.
4. Getting certified deepens your knowledge and opens more doors
For some people, self-development is enough to get their career going, but others will want to add formal training and certifications.
Most employers value experience, critical thinking, self-learning and motivation more than certifications, but large corporations or government bodies are different. If you're aiming to get hired in that sector, you need to consider it.
If you've got a degree in a computer science subject from a credible institution, that's a big help, but otherwise or in addition to that there's a range of organizations offering certifications recognized industry-wide.
CompTIA, (ISC)², ISACA, EC-Council and GIAC are the most popular, as well as vendor-specific certification bodies like Cisco and Microsoft. Other popular entry-level certifications are Security+, offered by CompTIA, and the Certified Ethical Hacker, offered by EC Council.
DoD-approved certifications can also help open the door to working in the sizeable defense market.
5. Work hard at getting that first job
Chances are your first information security job won't come quickly or easily.
With any luck, your social media networking will get you a foot on the ladder. Otherwise, you'll be in the same cycle as every other job hunter: search, apply, repeat.
On the upside, there are lots of information security job opportunities, so the process shouldn't be too onerous. Just be prepared to persevere and be patient.
Some employers offer internships which, with little or no salary, aren't a great option. However, they can be beneficial if you view them as an opportunity to get through the door of an attractive employer. If that's you, then commit to making a success of it quickly and getting onto the proper payroll fast.
Create a resume that will get attention
Your resume is most likely to be the first thing a potential employer sees, so take time to get it right. There's a lot of resources available to help, but the main things to remember when you are at the early stages of your career and have little, if any, employment to leverage are:
- Experience needs to be front and center. The areas we described above are all relevant, so describe them in detail.
- Tailor your resume to the job ad; don't just send the same one to each potential employer (as most applicants do). Read the job ad properly (most people don't do that either) and provide examples of how you meet the characteristics and skills they're looking for.
- Keep it short. Most recruiters will only scan a resume to see if it ticks their boxes. Faced with a pile of resumes to get through, they're most likely to throw out the long ones straight away.
If you get a positive rejection — they like your resume but you don't have enough of the right experience — ask for a referral to a company that might be a better fit. You might be lucky and get a few tips.
Once you've written your resume, contact a few recruiters. They know what skills clients are buying, and some will give you good advice on the measure of your resume against market demand.
At the interview
It's sadly common for candidates to inflate their credentials, so expect to be challenged at the interview. Employers have been burnt too many times to take things at face value.
The selection process often involves facing off against an expert and might include practical tests, so brush up beforehand. A good knowledge of the current threat landscape and high-profile attacks, particularly how they apply to the employer's business, shows you're thinking about the business implications and not just the technical ones.
6. Take full advantage of your first job
The priority is to work hard and deliver what's asked of you, but you should be mindful of the career development benefits too.
Develop your soft skills and learn to speak in a language that the general corporate worker understands. This will be important as you move into other information security roles: auditing, for example, where you must communicate with a lot of different stakeholders.
Take advantage of any training that's offered and ask to attend conferences — funded, of course, by the employer.
Find a mentor, someone that's been around the security block and can give you invaluable career guidance but also some help on technical challenges. And as you develop, become a coach to others that are just joining the organization. Push to get involved in the big, high-profile projects and don't shy away from the challenges.
Finally, move on at the right time. At the early stages of your career, that's usually easy to figure out: it's when you've stopped learning.
7. Don't stop when you've just started
Building a successful career in information security is a long-term commitment. Self-learning doesn't stop and, since you'll face more responsibility and greater challenges, it takes on even more importance.
Rather than use social media or conferences to soak up knowledge, you can gradually move towards becoming a contributor. Running your own blog or publishing software tools to help other practitioners are ways of establishing your credentials and getting a reputation that will help you move forward to even better jobs
What should you learn next?
Sources
- Cybersecurity Jobs Report 2018-2021, Cybersecurity Ventures
- Information Security Analyst Salary, Payscale
- DEF CON 26, InfoSec Resources
- Bug Bounty List, Bugcrowd
- Government, CompTIA
In this Series
- 7 steps to building a successful career in information security
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity