Most of us accept that IT security is now firmly in the ‘need to have’ category. But what does it mean to have a career in information security, and how do you go about working in this particular sector? Security professionals have traditionally had a ‘hard-man of IT’ image. And this negative reputation, alongside the long hours that all IT practitioners work, has alienated people in the past.
But there are major advantages to working in security. For a start, there will always be a demand for those with the right qualifications, experience and attitude. Furthermore, security professionals are some of the most passionate and knowledgeable individuals in the business – with access to some of the most exciting new developments coming out of R&D labs.
There are a number of recognised training programmes and certifications available, as security increasingly becomes a mainstream career path. A good place to start is the International Information Systems Security Certification Consortium, abbreviated to (ISC)2. It offers the Certified Information Systems Security Professional (CISSP) qualification, something of a gold standard, as well as the Systems Security Certified Practitioner (SSCP) credentials.
To achieve CISSP candidates need to demonstrate a working knowledge of ten areas of security-related best practice. These are: security management practices; security architecture and models; access control and methodology; application development security; operations security; cryptography; telecommunications, network and internet security; business continuity planning; law, investigation and ethics; and physical security.
For the SSCP qualification candidates have to prove working knowledge of: access controls; administration; audit and monitoring; cryptography; data communications; malicious code and malware; and risk, response and recovery.
Alternatively the SysAdmin, Audit, Network, Security (SANS) Institute provides intensive immersion training that leads to the Global Information Assurance Certification (GIAC). GIAC also addresses multiple security areas including: security essentials; intrusion detection; incident handling; firewalls and perimeter protection; forensics; hacking techniques; and operating system security, amongst others.
GIAC differs from CISSP and SSCP because it tests both knowledge and the ability to put that knowledge into practice in the real world. Equally helpful is the SANS Institute’s security awareness training for the end users of the systems: as ‘real world’ experience soon shows, one of the biggest threats is not a mad terrorist attempting to take over the world, it’s every day users accidentally letting malicious code into the system.
Finally, there’s the Information Systems Audit and Control Association (ISACA), through which individuals become qualified as a Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM).
As you can see, the notion of security covers a very broad range of activities and skills. Once the basics have been acquired, it is possible to focus on specific areas, to gain experience and credentials. This ensures that security professionals have a sufficient knowledge base before moving up the management tree where broader experience and generalist skills are required.
Having addressed the basics it is relatively easy to build and maintain a successful career. However a decision needs to be made, fairly early on, on whether to work as a consultant or an in-house expert. Consultancy requires a much more flexible approach. Customers may not always be right, but they do pay the bills: working with them, rather than against them is, therefore, vital. That means enhancing soft skills, such as communication and team work, and developing the ability to influence without overriding or undermining clients.
Security experts should also take time to learn a new language: business-speak. Security isn’t just about technology any more. It’s about delivering real, quantifiable business benefits. Communicating this to the decision makers and budget holders is going to be a lot more successful when expressed in terms they understand.
Above all staying current is crucial – no-one wants a security expert who is out of date.
Most of the qualifications mentioned above require re-testing and re-evaluation at regular intervals. But that’s part of the joy of working in security – there is always something new to learn. There will always be new threats to our systems, and it’s the security team who come to the rescue with exciting and innovative solutions.
It’s another reason why getting qualifications with internationally recognised bodies is so important. Anyone with these has, in effect, joined a worldwide club of security professionals which offers unrivalled access to new information and potential solutions.
Whatever the specific path chosen, a career in security presents great opportunity, diversity and above all enjoyment. The security industry continues to become more mainstream and accepted at senior levels as a business necessity, rather than a necessary evil. As it does so the opportunities for dedicated, talented security professionals can only grow.
Ray Stanton, Global Head of BT Security Practice, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.