I recently returned from ArcSight Protect ‘10, our annual user conference in Washington D.C. With over 1000 people in attendance over 3 days, I had plenty of time to meet with security practitioners - from CISOs to security specialists.
The two most frequent conversations I had while there presented almost diametrically opposed viewpoints: first, that it’s an exciting time to be an information systems security professional; and second, that there is a shortage of skilled Information Systems (or IS) security professionals out there.
Much has been written about the cybersecurity skills shortage both here in the UK and abroad, and initiatives on both sides of the pond are attempting to redress the balance.
The growth in cyberthreats seems to suggest that the demand for skilled people will continue for the foreseeable future. In short, IS security could be a worthwhile career path that people should consider.
I’m currently the Principal Consultant for the ArcSight security operations consultancy practice in EMEA, and before that I was the Information Systems Security Officer for the international arm of a Dutch bank.
In my 20 years of experience as a security professional, I’ve had the fortune to work in a number of industries and address a wide range of security challenges. For me, IS security has been, and continues to be, interesting and rewarding.
To build a successful career in this field, I believe there are a number of key factors to consider.
Knowledge is key: Of primary importance is building a broad knowledge base in order to effectively “bridge” the gap between the information technology security and business domains.
Business acumen: You don’t need to know how to run the business on a day-to-day basis, but you certainly need to know what makes it “tick” in terms of core business processes and critical information assets. Wherever you are, you should engage positively with the business to ensure you really understand the market sector, fundamental strategy and drivers.
Technology background: A thorough grounding in at least a couple of information technology areas is essential to successfully managing security risk in today’s organisations. You cannot hope to match the experts in all areas, but with good generic IT knowledge, you can often see through the smoke and mirrors and avoid getting “the wool pulled over your eyes” in many important situations.
I believe many candidates are leaving university with quite specific information security qualifications, but I still feel that a broad IT background in development, support and/or infrastructure, coupled with the right security mindset, is a solid springboard to a career in information security.
A key skill for success in my jobs has been the ability to translate a wide range of complex technology issues into real business risk and then present this in plain English to the not-so IT literate.
Certification: Choosing relevant and well regarded industry certifications is a positive career differentiator. Over the years, I have studied for and obtained many credentials, but I have observed that they may not command the same respect and value over time.
Review industry job postings, see what the industry currently values and go for these as a priority. As a certified information systems security professional (CISSP) (www.isc2.org), I certainly recommend this particular credential, as I feel it continues to provide a great baseline within the industry.
I would also advise looking into the various SANS security certifications (GCIA, GCIH, etc.) and investigating their associated security career roadmaps (www.sans.org).
Networking: The old adage is just as true today as it’s ever been - “it’s not just what you know, but also who you know.” You can certainly benefit from professional networking sites on the Web to a great degree for career success, but in my experience, there is still no substitute for meeting face to face.
You should consider joining recognised industry forums and associations, and getting involved in local information security chapters, user groups, etc. If you think you have an interesting experience to share, be brave.Get on your soapbox and raise your profile in person.
Passion: Finally, I believe that in this line of work, you really do have to walk the walk and not just talk the talk. If you really believe in the fundamental security principles and have a passion for the job, this will always shine through in person, such as interview situations, and certainly constitutes another important success factor.
Blog post by Mark Jacob, Director of Security Operation Centre (SOC) services