Information security is undoubtedly a hot area for the IT savvy among us, and as a dynamic discipline it presents a wealth of options for InfoSec careerists.
With a number of routes in, from audit and compliance to forensic analyst, the three most common launch pads to a career in information security come from systems administration, networking and development. Systems administration tends to be the most common and with the current socioeconomic emphasis on cyber security, most individuals managing and administering systems will be au fait with the security component that has had to become a prerequisite of their job. Though while any or all of these are desirable, certainly employers are looking for IT, networking or security-related experience; demonstrable passion, effective networking within local InfoSec organisations, such as ISSA and ISACA, and conferences such as DefCon, Black Hat and ShmooCon, and knowledge gleaned from topical reading can also get you a foot in the door.
It is also an area where finding a qualified mentor will prove invaluable. Having an experienced someone to guide you through the certification process and subsequent career progression will help you define the area of Information Security you best fit with. They may also suggest creating a website or blog on which to showcase your work and abilities because as you ascend the rungs of Information Security you will have to rely on your knack for self-marketing to reach the tiers of seniority.
The first thing any InfoSec insider will advise is to attain the right certifications. Starting with the entry level options that include, among others, Security+, Linux+, A+ and Network+, and one of the most well-regarded in the industry, the SSCP cert from ISC² and moving on to the advanced certs such as CISSP, which covers security policy and security management, CISA or CISM which will round out your qualifications with some audit exposure, C│EH if you want to specialise in ethical hacking or penetration testing (pen-testing) and the SANS technical certifications GSEC, GPEN and GWAPT.
Understanding which area of information security, in particular, peaks your passion the most will act as an invaluable step in directing you to the right role, so study up. There are plenty of books available on the extensive types of security that exist, so whether mobile security or virtualisation security is your bag, reading around the subject and essentially becoming an expert on it will lend you an advantage in the long term.
Starting out it helps to know what your options are to progress into the InfoSec space. In addition to the aforementioned trio, there are a number of roles that offer a good platform, starting with Security Analysts or SOC Analysts. Furnishing you with both formal and informal training across a number of security areas, a good analyst position will give you the opportunity to attain your certifications in parallel with on-the-job experience to enable you to move into a more specialised role three years down the line, or less. A Forensic Analyst role exposes you to a range of platforms from memory and mobile device to network forensics while a Malware Analyst role requires analytical thinking to evaluate the capabilities of malware, adware and other hacking tools.
Penetration Testers (or pen-testers) create opportunities to uncover areas of weakness by simulating network attacks, a role that offers a great insight into the mind of an InfoSec professional as it requires an extensive knowledge of multiple operating systems and networking. Audit and compliance, Security Engineer and Governance and Policy are all excellent launch-pads to move on to a career in Information Security, offering a well-rounded view of security protocols and processes.
Information Security is a field that relies both on methodical and analytical thinking as well as proven ability to put knowledge into practice. Having some kind of lab set up at home, whether it comprises of a laptop in possession of something like VMware or a full on server, employers are looking for individuals with the passion and know-how that comes from constantly experimenting, learning, building, running projects and developing skills and experience. Your lab serves to illustrate not only your passion for InfoSec but also your ability. InfoSec is considered an advanced discipline, which is why having substantial tech experience behind you is preferable to employers.
In addition to networking and systems administration, programming skills are a definite must-have for any aspiring InfoSec professional. Without those skills you’ll find your opportunities for Information Security jobs sorely limited. Being able to code shows employers you can build anything from a website to an Active Directory forest and adds an important string to your bow. The point of course is that from the projects you’ve been running from your home lab and your coding expertise, you will conceive of an idea and subsequently create a useful tool or utility that ultimately solves a problem for your employer.
This is where an understanding of the business is also key for individuals applying to jobs in Information Security. Companies hire InfoSec professionals to mitigate the risk to their business, so if you’re able to communicate effectively with all levels of your organisation in a language they can relate to so much the better. Instead of getting into the nitty gritty of security details, discuss the issues at hand within the framework of risk and mitigation thus proving your worth as someone with both the technical savvy and the soft skills to execute them effectively.