How to Get Started in InfoSec: Tips, Certifications and Career Paths
In a time when it’s crucial for business data to be safeguarded and protected from hackers and breaching attempts, there is a significant need for information security (infosec) professionals who can help keep an organization’s IT infrastructure secure. Keeping critical apps and data inaccessible to unauthorized users, keeping malware at bay, preventing physical and logical damage to systems, and safekeeping information assets from phishing and ransomware all require not only users’ awareness of these threats, but also the ability of infosec professionals to mitigate these risks. Threats have intensified in both scale and sophistication, resulting more and more often in high-profile security breaches, data loss or theft of systems.
Whether through in-house IT professionals or through the help of consulting companies, all businesses eventually need the expertise of an infosec professional or team that can evaluate the risks and the security of their information over time. Experienced, skilled employees are highly sought-after by employers, but many organizations also invest in training current staff and entry-level professionals that can be prepared to address the specific needs of the business while, at the same time, developing stronger loyalty.
Talent development through the use of certification programs is often a priority, especially in larger organizations. Upskilling employees ensures better protection of a company’s strongest asset (information) while also banking on the particular organizational knowledge and vested interest in the company that these professionals already have.
Thinking About a Career in Infosec?
So, if you are interested in a career in infosec or want to advance your already-established one, this might be the best time. The current IT skill gap and the expansion of the threat landscape actually provide great opportunities for new professionals ready to take the plunge and meet the challenges of this new era. Positions that are often advertised for include that of security manager, security administrator or security specialist, as well as security auditor, security consultant, security analyst, security engineer or security architect. There is also a great demand for roles such as information assurance managers, information architects or information assurance analysts.
With demand currently well above supply, even non-technical professionals are beginning to look into the possibility of becoming well-versed in infosec and learning to support the creation of proper infrastructures and the implementation of security measures. IT security opportunities are expected to grow; although automated tools have become more and more sophisticated and able to help secure infrastructure, they would be ineffective without the proper setup of systems, the analysis capability and the damage control skills of infosec professionals.
Yet IT companies are struggling to find the right talent, and the industry’s need for more qualified infosec workers escalates. So how can the current and next generation of employees prepare themselves for such a rewarding career and fill security jobs worldwide?
Several programs and opportunities are now available to beginners. In most cases, it all starts with the proper education. Possessing a computer science degree or certificate in Information Technology as well as an Information Security/Assurance specialization, for example, is often the first step towards a career in infosec. This is not always the case, though, as IT security professionals really come from different walks of life. Some land in infosec from other IT fields and use courses and certifications to specialize; some do not even have relevant degrees and enter the field through a combination of passion, hands-on practice and on-the-job experience.
To start, one needs to identify what type of career path in infosec they want to pursue. This helps identify the courses that will help find a job or progress in the field from a plethora of training courses available on- and offline. It is then important to identify a proper, accredited training vendor that can deliver proven results and is valued by prospective employers. Vendors like InfoSec Institute concentrate on offering a variety of training solutions to fit everyone’s learning needs and schedule as well as providing real-world skills by offering advanced training and certifications for positions at any levels in the field.
As mentioned, infosec professionals come from many different paths. When entering the field, there are a few careers that a professional or new graduate can consider: from more general ones including support specialists, IT technicians, help desks, network and systems administrators to specific ones like computer programmers or database administrators and data analysts. In general, it is important to get a good overall knowledge of systems first so as to be ready to protect them efficiently. Jobs in systems configuration and support or even internships for graduates are excellent ways to gain the basic knowledge necessary to enter a career in information security.
As the infosec field comprises many areas, most professionals will normally pinpoint their preferred area of expertise and focus their efforts on courses and industry certifications specific to that area, whether it is network security or Web security or the safety of exchange servers.
Aspiring infosec professionals should focus on developing a portfolio of security skills, especially if they do not have much computer-related education or have completed a specialized certification. Professional IT security training boot camps and certification prep courses, which will help the professional learn various tools and techniques that will assist them in this field, are essential.
Certifications are a major part of an InfoSec career. A Security+ certification, for example, builds a foundational understanding of information security, tests skills in the core security functions and allows a practitioner to progress towards intermediate roles. To advance in expert, senior roles, CISSP or CISM are great options to boost a career and increase earnings. CISSP is an elite qualification that proves a solid foundation in digital security and in the designing and implementation of effective security programs; CISM is geared towards professionals looking to move into managerial positions.
Let us take a look at just a few of the specific careers to consider in the information security realm.
A security architect ensures the security of systems by working with hardware and software as well as devising proper policies and protocols and preparing countermeasures. Their actions are geared towards the prevention of hackers’ attacks and intrusions. These professionals occupy senior positions with (normally) six-figure salaries and therefore have experience commensurate to their tasks, beginning with formal degrees in IT, positions in systems or network administration and a number of training courses and certifications that prove up-to-date knowledge. These often include CISSP and/or ethical hacking options.
Often contractors, security consultants are professionals that are asked to work in conjunction with other IT experts (normally in-house teams) to identify problems in networks and IT architectures and devise solutions. These are practitioners who not only have solid IT backgrounds but that also have soft skills like communication abilities and creativity, which help them in their daily interactions with clients and in the preparation of documentation and reports. These professionals normally have formal degrees, but hands-on experience is a major prerequisite; they often have security analysis or auditing backgrounds in their portfolio.
A number of certifications help these professionals progress in their career. After the obvious beginner certifications like CompTIA Security+, they can specialize through CEH: Certified Ethical Hacker, CISSP: Certified Information Systems Security Professional, CHFI: Certified Hacking Forensic Investigator, CPT: Certified Penetration Tester, CySA+: Cybersecurity Analyst, CWAPT: Certified Web Application Penetration Tester and CREA: Certified Reverse Engineering Analyst, as well as certification in systems auditing and analysis (ECSA, CISA, CISM).
Chief Information Security Officer (CISO)
A senior and executive-level professional, the CISO is at the head of security teams and approves most of the actions taken in regard to security: from the approval of design choices for the systems to that of policies and recovery plans. He or she also performs audits, conducts training, directly supervises team members and oversees contractors.
It is obvious that, in order to obtain such a position, an IT professional needs to have years of relevant experience — not only as an IT specialist in the security field but also as a supervisor. Formal education is normally required. and an MBA is often part of the background of such figures. Advanced certifications should include auditor certifications and security manager ones, including CISM, ISSM, CGEIT and CISSP.
The Must-Have Skills for Information Security Careers
Infosec professionals need to possess the right combination of hard and soft skills in order to progress in their career. Technical skills need to include the ability to perform security analysis, penetration testing, secure cloud and applications, to name a few. Soft skills, however, are equally important. A professional in this field rising to senior positions needs excellent communications skills to deal effectively with stakeholders and possess great collaboration skills to work with different IT sections of a company, as well users and managers of other internal customer sections. Creativity and ability to think outside the box are also important elements, because of the need to anticipate the moves of the adversaries and to surprise them with innovative countermeasures.
But most of all, he or she needs to possess a true passion for professional development. Keeping skills and knowledge up-to-date is paramount in a field that is in constant development and where it is essential to remain relevant in a rapidly-changing job market.
Infosec professionals, like cybersecurity professionals, work in companies of every size and industry to protect organizations from data breaches and attacks. Today’s infosec skills gap, much like the cybersecurity workforce shortage, is causing a strain on the existing workforce and on companies looking to hire professionals who can secure their assets. And with so many jobs unfilled, as seen from the countless vacancies open around the world, addressing the skills gap and shortage involves educating the next generation of capable IT security professionals that has become essential.
New graduates and professionals should look into breaking into IT or launching a cybersecurity career not only for the many opportunities it now grants, but also for the promise of a career in continuous evolution as technology progresses. This is especially true for the security job market. There are many credentials that infosec professionals can pursue to show potential employers that their skills are fresh. Companies frequently look to new members of staff with certifications that prove they possess expertise in areas as the “techie side” of IT security; although theoretical knowledge is obviously important, proof of up-to-date notions and hands-on experience are even more valued.
- Breaking Into the Security Job Market, ECT News Network, Inc.
- Best Information Security Certifications 2019, Business News Daily