How to Get a Job in Information Security
Don Parker at SecurityFocus has an article called Skills for the Future about how to get a job in information security. He outlines one path, and while I don’t deny it’s a good one, and probably the most common, it’s not the only way, either.
There are quite a few different areas of specialization within information security. The one people most often think of is the network security specialist — someone familiar with configuring firewalls, network intrusion detection systems, routers, and distributed defense mechanisms like anti-virus and patch management. These people are primarily charged with securing the perimeter.
However, there are others. I’ve made my career mostly in application security — studying how to develop software to be secure, so that even if perimeter defenses fail and an attacker can interact with an application, they’re unable to take control of it. This requires different skills than the network security path — specifically, it’s important to know several programming languages, have a background in software engineering, and be familiar with how application exploits are constructed (stack buffer overflows, heap overflows, pointer arithmetic issues, command injection, cross-site scripting, etc.) and the various defenses that exist against them (both coding techniques and tools like DEP/NX, GS, ASLR, SAL, etc.)
Other specializations in security include compliance auditing and penetration testing. Compliance auditing is less technical, and involves ensuring that internal controls match up with various regulatory and industry requirements, but often those requirements are security-focused. With recent regulations like SOX and industry standards like PCI DSS, there’s an amazing amount of demand for compliance auditors. Penetration testing is often seen as the most “glamorous” of information security jobs, as it essentially amounts to being hired by companies to hack into them. It requires a very broad array of security knowledge, since the best way into a system is wherever the system is weakest — sometimes this will be network security, other times application security, and other times the people operating and configuring the system. Thus, flexibility is key. However, due to the “mystique” of penetration testing, there are more people who want to be pentesters than are qualified for the job, and more people qualified for it than there is demand for it, so it’s not a very good entry point for the security industry.
There is one thing that is important to success in the information security industry — what I call the “security mindset.” You have to be the sort of person who, when you look at a system, thinks about what’s wrong with it. In my experience, some people have just always thought this way, and some people never do. For example, in The Art of the Steal, Frank Abagnale mentions a man who happened to share a name with a notorious drug dealer. As a result, he had to carry a letter from the Department of State to show to airport security whenever he tried to fly internationally, as his name would come up on every imaginable no-fly list as someone to be detained. What do you think of when you hear this story?
For me, the immediate thought was, “Oh, so if I were wanted by police and needed to flee the country, I could just forge a letter from the Department of State saying that I was not really the wanted criminal who happened to share my name. It’d be easy enough to find out the name of some undersecretary in the State Department and get a copy of their signature. If you wanted to be really authentic, you could also buy a phone and give it to a friend who would impersonate the State Department for you, preferably one with a fax machine in case they ask for any corroborating documentation. Of course, you’d best use a prepaid cell phone so your friend doesn’t get caught, either.” It’s just how security people think — we look at a system or a countermeasure, and see how it goes wrong, and what bad assumptions the system makes. This is important because the attackers think the same way — if we can think of a weakness, they can, too, so it’s important to shore up those weaknesses. Software testers often have the same mindset — it helps them find bugs, by finding the things developers didn’t think of.
So, if you want to get into security, and you aren’t right now, what do you do? There are a few preparatory steps:
- Get at least a year or two of real-world experience in a related field — network engineering, software development, systems administration, IT consulting. You can’t get by with security knowledge alone — you have to know how to secure something.
- Get a CISSP certification. The CISSP is a great breadth-oriented certification — it shows that you know at least the basics about all aspects of security, and have knowledge outside a narrow domain. It does have an experience requirement — three years of work in one of the 10 CBK domains — but the domains cover practically everything in the IT industry, so as long as you’re not fresh out of school you can likely meet it. The CISSP exam isn’t so easy you could pass it with no experience, but it’s not very difficult, either. You’ll also learn a lot studying for it — no matter what your specialization is, it will cover areas you know nothing about (cryptography, physical security & life safety, and disaster recovery are new to a lot of prospective CISSPs.)
After that? If you really want an information security job, you really have to focus in that direction. Once you have a couple of years of experience in a related field, don’t keep taking jobs in that field — look for security jobs. If you’re not in a major metropolitan area, this can be difficult. However, I know from experience that I spent far too much time in general development jobs with a little bit of security exposure when what I wanted to do was full-time security work. I would try to get security-related assignments, doing security testing and fixing security bugs, but there’s only so much security experience you can get when it’s not your main focus, and prospective employers know this. What launched my security career was being willing to jump into an IT security job even when it was in a less desirable area for me (network & infrastructure, when my specialization was development) and involved a substantial pay cut. What that first job is doesn’t matter that much — once you’re there, you’ve gone from a person who wants to be in information security to being an “IT security professional.” It’s easier to move around to the job you want once you have a foot in the door. Remember, in the modern technology industry people often don’t stay in a job for more than 12-18 months; it’s not a lifetime commitment to take a less-than-ideal job.
Many people ask about certifications and their importance to a security career. I would say that the CISSP is vital — many employers use it as a quick check of if you’re a “real” security person. However, beyond that, there are many things that can be useful, but that experience can substitute for. I do see some value to the following:
- ISACA’s CISA certification. This is highly valued if a.) you want to go into compliance auditing, or b.) you want to work for a large consultancy. If you want to do internal, very technical security work for a corporation, it’s not important.
- Microsoft’s MCITP certifications (or their predecessor, the MCSE.) It’s a nice thing to have on your resume, showing you know a lot about Windows environments, which make up most of the corporate world. Unfortunately, these certifications are extremely test-focused. On the plus side, it means that you can pass them with no experience, just studying for the test. However, it also means that even if you have a ton of experience, you still have to study a lot for the test, as they cover a great deal of material that is rarely used in the real world (e.g. unattended deployment scripts for servers) that you’ll just have to memorize. There is a problem of “paper MCSEs” who have passed the test but know very little, which has devalued the certification in industry, but it’s still useful.
- For application security specialists, having something to show your development experience is good. Microsoft’s MCPD certification or Sun’s SCJP certification can do this. Your first job in application security isn’t going to be reviewing kernel architectures — most of the world’s applications are managed code, either .NET or Java. Thus, these are a good place to start.
I think that the technical certifications are very helpful for getting initial jobs, especially since they don’t have experience requirements like the CISSP. However, they do have a useful life — once you’re making $100,000 per year or more, no one will ever ask, or care, if you have an MCITP, MCPD, or SCJP. They show technical knowledge if people don’t have any other way to know if you have it — but a long career in IT or development will show technical knowledge even better.
The most important thing is to be good at more than one thing. Security is a broad field by its nature — attackers go for the weakest point in the chain. There’s a larger market for security generalists than specialists in any one area, and even the specialists need to have a general background. If all you can do is firewalls, you’re competing for a smaller pool of jobs than if you can do firewalls, but also UNIX or Windows sysadmin work, or programming.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Great Job, Great Article. Nothing better when you get to read the right stuff at the right moment. I am an Entry Level Masters in Information Management with Database Systems Specialization and an intense desire to carve my career towards CISA / CISSP. Nothing could have helped me make an informed decision as this article has done it now. I came across this article while I was looking for proven approaches towards Information Security Career. I would be happy to subscribe to any letters / articles (if there are any) that are focused on adopting right path towards Info Sec Careers.
Thanks again.
Regards
Umang Doshi
umang_doshi@yahoo.com
which type of course i need to learn to get this job ?
nice artical very useful one keep gooinggggggggggggg
Very nice artical, you real helped me know which way to go from now because I’ve just graduated with MSc. in Info sys security and wasn’t clear on where to go from now. I was thinking for someone with very little budget, would Network +, security+, CCNA and then CCNA security be as good or close to CISSP. Also I’ve just put this web on to share knowledge, would you and the rest of community following this site be so kind to vist it (www.infosectutorials.com) and give me your openion and guidance on any of the topics there.
much appreciate it
Honestly, with a masters’ degree I would not bother with Network+ or Security+ — those are both certifications for entry-level technicians. Honestly, the industry has changed a bit since I wrote this post over 4 years ago. CCNA can be useful if you’re going the networking route, though mostly as a route to Cisco’s more advanced and more respected certifications. It’s on par with a Microsoft or Sun certification, really.
The CISSP is not really a high bar. It’s not a capstone cert like it was many years ago, it’s just above entry level and has little value by itself unless you have experience to back it up. With a masters’ degree I think you have all the “certification” you need for a first job; what’s going to help you the most now is actually working in the industry for a year or two, preferably in security but at the very least in a networking or development role.
I like your article for the great advice that you provide. I am about 5 courses away from completing my Masters in Information Assurance combined with a MBA. I have been teaching IT to high school students over the last 8 years and I am preparing for a career change. Even though I have a A+, Network + and a MCP , I am concerned about my lack of experience in the field to be able to land my first job. What would you recommand? Some people are telling me to study programming and Linux. I enjoy infoSec and aim a little concerned after graduation.
The masters’ degree is a good start. The A+ will mean nothing and the Network+ very little; for the MCP it depends on what it’s in. I think the real question is what sort of job you’re wanting to get.
There are multiple paths in infosec — audit & compliance, risk & governance, engineering & architecture (with this divided into operations or development.) Demand for infosec jobs is really high — unemployment in security is low, which will work to your advantage. The most important thing is to learn an area and really know it well — this could mean studying operational certifications (ISO 27001, etc.) for an audit role, studying security policy and governance (and perhaps getting a CISSP) for a governance role, or studying programming or operations for an engineering role. There are certainly certifications in all those areas, but your degree and experience can probably get you an interview (which is all certifications do for you anyway.) Your ability to demonstrate knowledge in an area is what will get you a job.
Hi Grant Bugher,
Thanks for your Article. There’s a larger market for security generalists than specialists….. Very nice point.
Thanks for your response Grant. Would you suggest to me to start by taking security + certification to start since it appears that you need to have a certain number of years of experience before taking the CISSP certification ? I have actively applying for internship but my lack of experience in the field makes it hard to get. Any ideas.
I appreciate your inside information.
Thank u so much for this article, very informative & provided me with a bit of direction! I’m currently working as an acess control manager (physical + systems). I have a strong compliance background & would like to get more into info security from a risk & compliance point of view. I have a BCom Risk Mngt degree & am nw thinking of doing the CISSP & CISA before crossing over, what r your thoughts on this?
Noble: On one hand, yes, there is definitely a larger market for generalists. Most companies don’t have more than a couple of security professionals; only a large corporation or tech/Internet company would have enough to employ specialists, so most specialists work as consultants. On the other hand, specialists get paid more, and even as a generalist you’re going to need some kind of technical skill, whether IT/ops or engineering/development.
Gege: In my opinion Security+ has no value if you’ve ever had a job — it’s so entry-level that I would only recommend it to a college student or someone moving in from a non-tech field to show basic competence, and even then I’m pretty dubious — I totally ignore Security+ on resumes when I’m hiring, even if I *am* hiring someone entry-level.
As for CISSP’s experience requirement, really don’t worry about it. As I say above, a few years in almost any tech field will meet it, so this really only matters when you’re first starting out (which it sounds like you might well be.) You can always get Associate of ISC2 (i.e. pass the exam without meeting the experience requirement) then upgrade the cert later.
All this said, honestly since I wrote this post four years ago I think certifications have declined in value. There are so many “paper CISSPs” out there with no real tech/security background who just studied for the test that hiring managers tend to discount it. Same goes for CSSLP, CEH, and even the advanced ISC2 certifications. People still put a lot of stock into the SANS certifications (which are good but exorbitantly expensive) and the advanced Cisco certs (i.e. the ones above CCNA), but not a lot else.
At this point, most certifications are just something you put at the bottom of your resume to get past the HR screener and show up in LinkedIn searches; once you get to the interview, nobody cares and it’s all about ability to talk about your real-world experience and demonstrate technical skill.
Busi: If you want to stay in governance, risk, and compliance, CISA is useful. It’s well-respected in the GRC world, but is considered nontechnical. If you want to move out of it and into technical security, it’s not, and CISSP would be better.
The most important things, though, remain 1.) be good at more than one thing, and 2.) be able to demonstrate real-world technical skill. Certifications only open the door, you still have to walk through it, and this is even more true today than it was four years ago.
I will be graduating with a B.S. in I.T. with ISS focus next year. What certs will help me land a job in the I.T. security field?