How to Get a Job in Information Security
Don Parker at SecurityFocus has an article called Skills for the Future about how to get a job in information security. He outlines one path, and while I don’t deny it’s a good one, and probably the most common, it’s not the only way, either.
There are quite a few different areas of specialization within information security. The one people most often think of is the network security specialist — someone familiar with configuring firewalls, network intrusion detection systems, routers, and distributed defense mechanisms like anti-virus and patch management. These people are primarily charged with securing the perimeter.
However, there are others. I’ve made my career mostly in application security — studying how to develop software to be secure, so that even if perimeter defenses fail and an attacker can interact with an application, they’re unable to take control of it. This requires different skills than the network security path — specifically, it’s important to know several programming languages, have a background in software engineering, and be familiar with how application exploits are constructed (stack buffer overflows, heap overflows, pointer arithmetic issues, command injection, cross-site scripting, etc.) and the various defenses that exist against them (both coding techniques and tools like DEP/NX, GS, ASLR, SAL, etc.)
Other specializations in security include compliance auditing and penetration testing. Compliance auditing is less technical, and involves ensuring that internal controls match up with various regulatory and industry requirements, but often those requirements are security-focused. With recent regulations like SOX and industry standards like PCI DSS, there’s an amazing amount of demand for compliance auditors. Penetration testing is often seen as the most “glamorous” of information security jobs, as it essentially amounts to being hired by companies to hack into them. It requires a very broad array of security knowledge, since the best way into a system is wherever the system is weakest — sometimes this will be network security, other times application security, and other times the people operating and configuring the system. Thus, flexibility is key. However, due to the “mystique” of penetration testing, there are more people who want to be pentesters than are qualified for the job, and more people qualified for it than there is demand for it, so it’s not a very good entry point for the security industry.
There is one thing that is important to success in the information security industry — what I call the “security mindset.” You have to be the sort of person who, when you look at a system, thinks about what’s wrong with it. In my experience, some people have just always thought this way, and some people never do. For example, in The Art of the Steal, Frank Abagnale mentions a man who happened to share a name with a notorious drug dealer. As a result, he had to carry a letter from the Department of State to show to airport security whenever he tried to fly internationally, as his name would come up on every imaginable no-fly list as someone to be detained. What do you think of when you hear this story?
For me, the immediate thought was, “Oh, so if I were wanted by police and needed to flee the country, I could just forge a letter from the Department of State saying that I was not really the wanted criminal who happened to share my name. It’d be easy enough to find out the name of some undersecretary in the State Department and get a copy of their signature. If you wanted to be really authentic, you could also buy a phone and give it to a friend who would impersonate the State Department for you, preferably one with a fax machine in case they ask for any corroborating documentation. Of course, you’d best use a prepaid cell phone so your friend doesn’t get caught, either.” It’s just how security people think — we look at a system or a countermeasure, and see how it goes wrong, and what bad assumptions the system makes. This is important because the attackers think the same way — if we can think of a weakness, they can, too, so it’s important to shore up those weaknesses. Software testers often have the same mindset — it helps them find bugs, by finding the things developers didn’t think of.
So, if you want to get into security, and you aren’t right now, what do you do? There are a few preparatory steps:
- Get at least a year or two of real-world experience in a related field — network engineering, software development, systems administration, IT consulting. You can’t get by with security knowledge alone — you have to know how to secure something.
- Get a CISSP certification. The CISSP is a great breadth-oriented certification — it shows that you know at least the basics about all aspects of security, and have knowledge outside a narrow domain. It does have an experience requirement — three years of work in one of the 10 CBK domains — but the domains cover practically everything in the IT industry, so as long as you’re not fresh out of school you can likely meet it. The CISSP exam isn’t so easy you could pass it with no experience, but it’s not very difficult, either. You’ll also learn a lot studying for it — no matter what your specialization is, it will cover areas you know nothing about (cryptography, physical security & life safety, and disaster recovery are new to a lot of prospective CISSPs.)
After that? If you really want an information security job, you really have to focus in that direction. Once you have a couple of years of experience in a related field, don’t keep taking jobs in that field — look for security jobs. If you’re not in a major metropolitan area, this can be difficult. However, I know from experience that I spent far too much time in general development jobs with a little bit of security exposure when what I wanted to do was full-time security work. I would try to get security-related assignments, doing security testing and fixing security bugs, but there’s only so much security experience you can get when it’s not your main focus, and prospective employers know this. What launched my security career was being willing to jump into an IT security job even when it was in a less desirable area for me (network & infrastructure, when my specialization was development) and involved a substantial pay cut. What that first job is doesn’t matter that much — once you’re there, you’ve gone from a person who wants to be in information security to being an “IT security professional.” It’s easier to move around to the job you want once you have a foot in the door. Remember, in the modern technology industry people often don’t stay in a job for more than 12-18 months; it’s not a lifetime commitment to take a less-than-ideal job.
Many people ask about certifications and their importance to a security career. I would say that the CISSP is vital — many employers use it as a quick check of if you’re a “real” security person. However, beyond that, there are many things that can be useful, but that experience can substitute for. I do see some value to the following:
- ISACA’s CISA certification. This is highly valued if a.) you want to go into compliance auditing, or b.) you want to work for a large consultancy. If you want to do internal, very technical security work for a corporation, it’s not important.
- Microsoft’s MCITP certifications (or their predecessor, the MCSE.) It’s a nice thing to have on your resume, showing you know a lot about Windows environments, which make up most of the corporate world. Unfortunately, these certifications are extremely test-focused. On the plus side, it means that you can pass them with no experience, just studying for the test. However, it also means that even if you have a ton of experience, you still have to study a lot for the test, as they cover a great deal of material that is rarely used in the real world (e.g. unattended deployment scripts for servers) that you’ll just have to memorize. There is a problem of “paper MCSEs” who have passed the test but know very little, which has devalued the certification in industry, but it’s still useful.
- For application security specialists, having something to show your development experience is good. Microsoft’s MCPD certification or Sun’s SCJP certification can do this. Your first job in application security isn’t going to be reviewing kernel architectures — most of the world’s applications are managed code, either .NET or Java. Thus, these are a good place to start.
I think that the technical certifications are very helpful for getting initial jobs, especially since they don’t have experience requirements like the CISSP. However, they do have a useful life — once you’re making $100,000 per year or more, no one will ever ask, or care, if you have an MCITP, MCPD, or SCJP. They show technical knowledge if people don’t have any other way to know if you have it — but a long career in IT or development will show technical knowledge even better.
The most important thing is to be good at more than one thing. Security is a broad field by its nature — attackers go for the weakest point in the chain. There’s a larger market for security generalists than specialists in any one area, and even the specialists need to have a general background. If all you can do is firewalls, you’re competing for a smaller pool of jobs than if you can do firewalls, but also UNIX or Windows sysadmin work, or programming.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Great Job, Great Article. Nothing better when you get to read the right stuff at the right moment. I am an Entry Level Masters in Information Management with Database Systems Specialization and an intense desire to carve my career towards CISA / CISSP. Nothing could have helped me make an informed decision as this article has done it now. I came across this article while I was looking for proven approaches towards Information Security Career. I would be happy to subscribe to any letters / articles (if there are any) that are focused on adopting right path towards Info Sec Careers.
Thanks again.
Regards
Umang Doshi
umang_doshi@yahoo.com
[...] How to Get a Job in Information Security [...]
[...] Grant Bugher of the Perimeter Grid blog had a post covering another route to the information security field. The route he describes and has personally taken pulls heavily from experience in development and writing secure code. This route is crazy interesting to me and I’m glad to see I’m naturally heading down the road he’s talking about. [...]
[...] this higher level of production also has weak spots that need to be addressed. This is where an IT security professional comes to [...]
[...] höhere Niveau der Produktion hat auch Schwachstellen, die behoben werden müssen. Dies ist, wo ein IT Security Professional zur Arbeit [...]
[...] this higher level of production also has weak spots that need to be addressed. This is where an IT security professional comes to [...]
which type of course i need to learn to get this job ?
nice artical very useful one keep gooinggggggggggggg
Very nice artical, you real helped me know which way to go from now because I’ve just graduated with MSc. in Info sys security and wasn’t clear on where to go from now. I was thinking for someone with very little budget, would Network +, security+, CCNA and then CCNA security be as good or close to CISSP. Also I’ve just put this web on to share knowledge, would you and the rest of community following this site be so kind to vist it (www.infosectutorials.com) and give me your openion and guidance on any of the topics there.
much appreciate it
Honestly, with a masters’ degree I would not bother with Network+ or Security+ — those are both certifications for entry-level technicians. Honestly, the industry has changed a bit since I wrote this post over 4 years ago. CCNA can be useful if you’re going the networking route, though mostly as a route to Cisco’s more advanced and more respected certifications. It’s on par with a Microsoft or Sun certification, really.
The CISSP is not really a high bar. It’s not a capstone cert like it was many years ago, it’s just above entry level and has little value by itself unless you have experience to back it up. With a masters’ degree I think you have all the “certification” you need for a first job; what’s going to help you the most now is actually working in the industry for a year or two, preferably in security but at the very least in a networking or development role.
I like your article for the great advice that you provide. I am about 5 courses away from completing my Masters in Information Assurance combined with a MBA. I have been teaching IT to high school students over the last 8 years and I am preparing for a career change. Even though I have a A+, Network + and a MCP , I am concerned about my lack of experience in the field to be able to land my first job. What would you recommand? Some people are telling me to study programming and Linux. I enjoy infoSec and aim a little concerned after graduation.
The masters’ degree is a good start. The A+ will mean nothing and the Network+ very little; for the MCP it depends on what it’s in. I think the real question is what sort of job you’re wanting to get.
There are multiple paths in infosec — audit & compliance, risk & governance, engineering & architecture (with this divided into operations or development.) Demand for infosec jobs is really high — unemployment in security is low, which will work to your advantage. The most important thing is to learn an area and really know it well — this could mean studying operational certifications (ISO 27001, etc.) for an audit role, studying security policy and governance (and perhaps getting a CISSP) for a governance role, or studying programming or operations for an engineering role. There are certainly certifications in all those areas, but your degree and experience can probably get you an interview (which is all certifications do for you anyway.) Your ability to demonstrate knowledge in an area is what will get you a job.
Hi Grant Bugher,
Thanks for your Article. There’s a larger market for security generalists than specialists….. Very nice point.
Thanks for your response Grant. Would you suggest to me to start by taking security + certification to start since it appears that you need to have a certain number of years of experience before taking the CISSP certification ? I have actively applying for internship but my lack of experience in the field makes it hard to get. Any ideas.
I appreciate your inside information.
Thank u so much for this article, very informative & provided me with a bit of direction! I’m currently working as an acess control manager (physical + systems). I have a strong compliance background & would like to get more into info security from a risk & compliance point of view. I have a BCom Risk Mngt degree & am nw thinking of doing the CISSP & CISA before crossing over, what r your thoughts on this?
Noble: On one hand, yes, there is definitely a larger market for generalists. Most companies don’t have more than a couple of security professionals; only a large corporation or tech/Internet company would have enough to employ specialists, so most specialists work as consultants. On the other hand, specialists get paid more, and even as a generalist you’re going to need some kind of technical skill, whether IT/ops or engineering/development.
Gege: In my opinion Security+ has no value if you’ve ever had a job — it’s so entry-level that I would only recommend it to a college student or someone moving in from a non-tech field to show basic competence, and even then I’m pretty dubious — I totally ignore Security+ on resumes when I’m hiring, even if I *am* hiring someone entry-level.
As for CISSP’s experience requirement, really don’t worry about it. As I say above, a few years in almost any tech field will meet it, so this really only matters when you’re first starting out (which it sounds like you might well be.) You can always get Associate of ISC2 (i.e. pass the exam without meeting the experience requirement) then upgrade the cert later.
All this said, honestly since I wrote this post four years ago I think certifications have declined in value. There are so many “paper CISSPs” out there with no real tech/security background who just studied for the test that hiring managers tend to discount it. Same goes for CSSLP, CEH, and even the advanced ISC2 certifications. People still put a lot of stock into the SANS certifications (which are good but exorbitantly expensive) and the advanced Cisco certs (i.e. the ones above CCNA), but not a lot else.
At this point, most certifications are just something you put at the bottom of your resume to get past the HR screener and show up in LinkedIn searches; once you get to the interview, nobody cares and it’s all about ability to talk about your real-world experience and demonstrate technical skill.
Busi: If you want to stay in governance, risk, and compliance, CISA is useful. It’s well-respected in the GRC world, but is considered nontechnical. If you want to move out of it and into technical security, it’s not, and CISSP would be better.
The most important things, though, remain 1.) be good at more than one thing, and 2.) be able to demonstrate real-world technical skill. Certifications only open the door, you still have to walk through it, and this is even more true today than it was four years ago.
I will be graduating with a B.S. in I.T. with ISS focus next year. What certs will help me land a job in the I.T. security field?
It seems at first glance that getting in on the ground floor with anything but a masters is impossible. What do you suggest I look for with a Bachelors to get to work with little real work tech experience?
Nice article but I wonder nobody mentioned about CEH, ECSA, GIAC and CISM. I am CEH and ECSA certified and one can easilly step up in infosec by achieving these certs. CISSP is not vendor oriented and it requires vast exp. Have seen techocrats who are masteros in infosec but still to get this cert cause of its pervasiveness. See, application and network security are totally different aspects. Suggest someone should start his career as application security (SQLi, XSS) and end up with network security, can easilly earn $$…
jwarn, I know very few people in information security with a Master’s degree; indeed, since the very idea of colleges offering information security programs is relatively new, I’ve never seen a security job requiring anything beyond a bachelor’s degree outside of very narrow specialist fields (e.g. cryptanalyst.) As a hiring manager, someone with a Master’s degree and no experience is just a more expensive fresh college grad; I’d consider the degree a disadvantage.
However, due to the near-total lack of security programs in colleges, it’s hard to move directly into security from college. Learn the security field you want to go into, and take a job in development or operations as a appropriate to get some experience before moving into security. Being able to demonstrate competence and knowledge is more important than having some specific degree.
Sarang, I’d agree that some of the advanced SANS GIAC certifications are pretty good. As a security professional, one of them would certainly be helpful for moving into a new field — e.g. if you were a forensic analyst who wanted to move into application security or penetration testing. I’m less convinced of the utility of the others you mention; around where I work, at least, CEH is totally disregarded (it’s a nonentity on a resume), and a CISM is very seldom going to be a deciding factor for a security management role — by the time one’s at a technical manager career stage, certifications have less importance than experience. I can’t speak to ECSA as I’m not very familiar with it and don’t know anyone who has one.
CISSP isn’t vendor-oriented, but it’s quite easy and can be acquired with no experience studying from one textbook. It would probably take a very broad experience base to pass it without studying, true (I mean, whose work experience includes application & network security, cryptography, GSM radio, bollard placement, and fire suppression systems?), but no one passes it that way and the ISC2 CBK is small enough to learn from a textbook. This does make it largely a “paper cert” which has devalued it in the industry, but it’s still required to get past the HR gatekeepers in many organizations.
Breadth is certainly valued in the security world; I agree that starting in application security and picking up networking and operations can be lucrative.
Hie Grant
Thanks for the article it was very useful. Guys i need your advice, i am still studying for my bachelors degree (information systems) and i am doing it part time, i have a great interest in networking security, do you think starting doing courses for A+ or N+ can help me ?
Thanks for the article it also has helped me move on to the next step in my career, I recently graduated with a masters degree in network security. And I now plan to invest interning to get hands on experience, and I will try to acquire my CISSP next.
i am working in retail sector from last six years but now i want to quit retail sector and want to make my career in information security.
Please advise.
thanx Grant Bugher for nice article, which is helpfulme to change the field
I’m about to complete my undergrad degree which is in Computer Science. I want to pursue a career in information security (pen testing, securing systems, security consultant etc). I was hoping to apply for a MS in Information Security/Assurance which is offered by some schools. However, i see that for getting security jobs, one requires at least 2-5 years of experience. I do hold several certifications (MCP, MCDST, MCTS, Brainbench Security Awareness and Internet Security) and plan to gain more of them (security related) in the future(maybe along side a master’s degree) but currently i do not have relevant work experience (have only internships). My questions is: whether going for a MS in computer science with a specialization in security help me to in pursuing the career that i desire (i.e. get some work ex and then transit to security) or should i directly aim for a MS in Information assurance hoping that a more relevant degree will land me a job somewhere.
Karan,
I know of very few people in infosec with advanced degrees at all; many don’t even have a bachelor’s. Experience is regarded as far more important than education, since the security landscape changes so quickly that education and certifications become rapidly obsolete. If you really want to get into penetration testing and security consulting, you can probably get into that now with one of the major firms (since they’re accustomed to hiring recent college grads and training them), and then leverage that work experience into a more interesting boutique consultancy in a few years. An MSCS could be very useful if you want to go into reverse engineering, malware analysis, or exploit development, though.
As a a manager hiring technical security experts, I admit I don’t even consider an advanced degree as relevant — it’s pretty much ignored in the hiring process. An MSIA may be useful to you 10 years down the line when going for a security management job, but it’s not going to do a lot right now.
Thanks a lot for the quick reply.
Hi Grant,
Thanks for your advice.
Having gone through this information, I feel the most important thing for me to do is gain some hands on experience in the Security field. This is the major challenge. I am based in Kenya where this is relatively new, with nop opportunities.
My background is a Diploma in IT, currently studying for my undergraduate degree in IT. Most of the jobs that I have so far done involve hardware maintenance, software installation and elementary network administration. I need a challenge , unfortunately I have been unable to come by any please advice, as I feel underutilized.
Hi Grant,
Just to follow up on my last comment. The drift I get from you is that one is better off diversifying than specializing.
The options I have are getting certification for my skills in Hardware and networking viz A+ and N+and some Oracle Certification courses ie.
Linux, Java, MySQL,Database or alternatively acquire Microsoft Certified courses i.e.
Microsoft Certified Professional (MCP)
Microsoft Certified Technology Specialist (MCTS)
Microsoft Certified IT Professional (MCITP)
Enterprise Administrator
Server Administrator
Database Administrator
Please advice .
Grant,
I am currently in an Information Security bachelor’s program and I have no idea what direction to take. Honestly, I just want to get into the industry once I graduate to get the ball rolling.
I saw in your comments you said certs are not necessarily tantamount to job acquisition since this article was written. This was my interpretation of it, at least, not trying to put words into your mouth.
What type of job do you recommend looking for upon graduation in about another year? I know that’s a broad question, but could you steer me in a particular direction with a B.S. in IS with no certs?
Thank you!
Incredible quest there. What happened after?
Good luck!
I am in the same boat as JRobert. Finishing up my BA in IS. I have great grades but no work experience or certifications. I am really getting nervous that I won’t be able to get even an entry level position anywhere. Not even sure which direction to take as I am proficient in many different areas in IS.