Information security is hot. With existing educational paths lacking the capacity to churn out the needed number of professionals at the moment, people are migrating into the field at a significant rate. Seldom a planned career choice, the move into information security occurs as opportunity offers itself, or because an employer has an urgent requirement to fulfil. Once in, career development and planning becomes essential given the diversity of opportunity and level of change to manage.
Being a ‘career changer‘ can be an asset. The diverse background of security professionals helps them take a broader perspective as long as they can also show solid training in their chosen subject matter. Generally, experience in operational IT is essential for people to develop a realistic understanding for what security does or can do. There is also a high degree of context applied, with security driven by the specific needs of the company. Being familiar with the workings of a company therefore is also a valuable asset to build upon.
Further, the fast moving nature of the field mandates that professionals are committed to staying up to date. This involves both keeping up to date in the ever-changing world of threats and technology, as well as the developing business role of information security, and your personal career aspirations. You will need to network and stay in touch with your professional community, usually by participating in conferences and events. This is in addition to specific training course. Courses and conferences available tend to take a business strategy/policy-focused approach, or be highly technical.
Plan your career development. That sounds like cheap advice, but there's a few issues you will need to think through. If the security field is a transitory career step, which you’re looking to leave in a few years’ time then you will need to focus on developing and maintaining transferable skills. There will be little benefit in becoming a technical specialist. Excellence in this area requires time and commitment, while your contribution is more likely to be based upon your business and operational skills.
Research within the (ISC)² Global Information Security Workforce Study, highlights the need for communication skills, project management and leadership skills in addition to the core job requirements. The study also illustrates the changing nature of security roles moving from being a stop-gap fix for IT operations towards a manager of business risk.
If you are in the security field for the long haul then you should consider a security certification, especially if you have entered the field as a career changer. No matter how confident you are about your own skills, there is value in being able to demonstrate them to others, be they hiring managers, HR departments or clients. Certifications do not compete with academic qualifications but complement them, demonstrating the required breadth of knowledge and perspective, relevant skill and pertinent experience. There is a wide variety of choices available in the market, allowing you to choose the one that best fits your personal ambition.
Whatever your ambitions or route into information security, you should make it a requirement that your company is ready to invest in you. This is as much about helping you fund your educational choices as it is about providing you the time to pursue them. Nowhere is the proverb ‘if you’re not moving forward you’re falling behind’ as pertinent as in information security. You and your employer must understand that the nature of the practice mandates professionals to constantly stay up-to-date and in touch with the broader community.
Peter Berlich, chair of (ISC)² chapter Switzerland