How To Become An IT Security Professional

How To Become An IT Security Professional
By

If you'd like to add the "security moniker to your job description, this article provides the steps to get you there.

Security professionals like to joke that the CBS hit show Person of Interest is actually a reality show. That show, about a Homeland Security ubertool that synthesizes and correlates video camera and personal information, is not something that security professionals work with... yet. 

But many IT professionals yearn to add the moniker "security" to their job description because security seems to be growing at a faster pace than general IT, this specialty commands a higher salary than general IT, and besides, it's cool to say "I hack for a living."

Why Certify? 

The least important reason, but most practical justification for the trouble, is to get by the HR gatekeeper.More importantly, certification could round out your knowledge base, serve as an introduction to a new area, or serve as a differentiator between you and the next applicant, even if for an entry-level job.  If you have privileged access to a DoD information system, DoDD 8570 requires that contractors, employees, and others personnel performing IAT (Information Assurance Technical) and IAM (Information Assurance Managerial) duties, and other security roles, be certified. 

The new chart of baseline certifications may be found here.

The "big" certification, as in popular, is the CISSP, but that’s not because it’s the hardest, nor the most comprehensive, nor does it possess the lowest pass rate.  More likely, the popularity is that it is a certification non-technical professionals can pass, and because it has the largest user base of any higher level security certification. HR feels comfortable making it a requirement for most security titles.

It is very broad, and some SANS instructors are fond of saying “it’s a mile wide and an inch deep.”  Nevertheless, the CISSP curriculum gives test takers a good introduction to most facets of security, as well as a common vocabulary. 

Other highly valued certifications include those offered from SANS GIAC– they have some general security certifications, now seen in many job requests, such as GSEC (most similar to CISSP in terms of general IT security, but less broad and much more focused), as well as specialty certifications in areas like Pen testing (penetration testing), wireless security, firewalls, forensics, auditing, etc., as well as management.  

ISACA offers four certifications, CISA, CISM, CGEIT, and CRISC, but either of the first two listed are most popular, and frequently asked for in security job descriptions, just behind CISSP. 

More information on security certifications may be found here and here. Remember that Security+ certification is entry-level, and the prices or requirements for some of these certifications has changed since the articles' publication.

Top IT Security Certifications

Important links for each Information Security certification mentioned in this video:

IT Security Work Opportunities

One of the best ways of adding security experience to your resume and gaining real world experience is to do the work in a business setting.

How do you have security work assigned to you if you are not in the security group? Volunteering for additional assignments, especially if they involve working with security folks or on security related projects.  If you are constantly reading security themed books, asking lots of security questions at work, and coming up with good ideas–the security mindset–you will get noticed.That will increase your consideration as an additional resource for project work, and then as a more permanent resource.

Along the same line of thinking, finding ways to increase your security responsibilities, and transition to a full security role can be accomplished by finding ways to work on security assignments. If you are in charge of user access–boring, perhaps, but really, a security responsibility–you could come up with ways to increase security by perhaps suggesting and implementing a way to require strong passwords, add secure password reset self-service, or add two-factor authentication.

Volunteering

It's the age old conundrum. I need experience to get hired as a security geek, but I can't get experience until I find a security job. Many volunteer organizations don't have any security, even if they have part time IT staff. Offer to improve their security. Work at it long enough, do a good job, and now you have resume experience. Can't find a place to volunteer? Look at your kid's school, religious organization,
whatever grass roots organization is in your community as a means to hone your skills, add to your
resume, and perhaps add a reference.

More Steps To Becoming An IT Security Professional

One of the best ways to navigate your path toward becoming an IT security professional is to listen to a mentor, join groups, attend seminars, and frequently visit related websites.

As for a mentor, approach someone whom you respect and admire.It may be a former boss, a competitor, or even a luminary in the field.

Without Being Annoying, Ask For Advice 

Introduce yourself briefly, being cognizant of their time.  Other ways of finding mentors include posting good questions on a security forum, or attending one of the groups (listed in the next section) below and making yourself useful. 

More useful career strategy includes forming an advisory board - get opinions from several respected, well-placed people, including other, non-IT fields.  Again, don't waste their time.  You might take them out for dinner, together or separately.

Join A Group

Beginner or Pro, there is an active security community. There is no excuse for not joining and becoming an active member of at least one security organization if security is your lifeblood. 

Major cities have so many opportunities that time management becomes a factor, more so than finding a group.  Much of the US is within reach of at least one of the following groups: ISSA, OWASP, or ISACA.  But other organizations have security minded groups: there are Def Con groups and 2600 groups, and local InfraGard chapters  among others.

Multiple Cons exist throughout the US:  besides Def Con (Las Vegas), there are ShmooCon (Washington D.C.), ToorCon (San Diego), Layer One (Los Angeles), BSides (all over), NotACon (Cleveland), ThotCon (Chicago), DerbyCon (Louisville), SecTor (Toronto) and so on.  Look on LinkedIn, Maker Blogs, and other security blogs to find local groups that meet your interests.

Attend A Seminar

Most security vendors offer free seminars.Some even offer free training at local, extended, seminars.All offer free webinars, so not only is this a way to gain more knowledge, but it is also a way to add more CPEs to maintain your certification without leaving your desk.  As an added bonus, many vendors will give out tschokes like thumb drives and t-shirts.  

Security Websites And Blogs

"Tell me what security blogs or websites you follow" is not only is this a common interview question, but it is a great way to bounce ideas off other accomplished professionals, to stay current, and to obtain information not generally available elsewhere. Check out some of our favorites in the sidebar.

Build Your IT Security Network


Social media is a great way to build relationships, not only for mentoring, but for later IT security employment opportunities.

Talk to people - at Cons, at meetings, at work, on the wire.  That's not something many geeks are good at, so push your comfort zone.  Great relationships last many years.

At a Def Con 20 panel on "Screw the Planet, Hack the Job!," panelists suggested that many employment offers came years after people met while volunteering at Def Con.  Of course, winning a black badge at Def Con is a resume event, but so too is volunteering (as a goon) at a significant level.  Do it well enough, and you'll get a letter of recommendation.   

Panelists Roamer and Lockheed suggested that the most important thing - working at a job, or at Def Con - is to build a trust relationship. Do that well, even over-achieve, and you will be recommended for that next job. As Roamer stated, why you do that - get on the path to a security job - is because you are not going to work, but you are going to do what you love.  The pay is just a bonus.  Another panelist, Heather, gained many clients from building great trust relationships at Def Con. 

Remember that the path to your dream job will involve many steps. You won't get that perfect security job straight out of school, or certification camp.  That first step may not even be a security job. Keep the end goal in mind, and take steps to work towards that goal.

MORE: Best Information Security Certifications
MORE: 7 Free InfoSec Training Resources For IT Pros
MORE: InfoSec Certs To Help Get Your Foot In The Door