Many people seek advice for how to become an information security (InfoSec) professional.
This page grew out of e-mail to them and continues to change over time.
The InfoSec career field is broad and requires technical expertise. Accordingly, an
InfoSec professional must develop breadth and depth throughout the information security
domain (e.g. in physical security, business continuity and legal matters).
I. Obtain Practical Experience
Establish a foundation as a technologist first. A solid understanding of
administration and networking is a good start. Learn how to harden common operating
systems and develop an understanding of hacking techniques. The U.S. military is a
great place to gain InfoSec experience. They were focused on security long before it
became in vogue.
The next logical step is to join the local chapter of a security
organization. The Information
Systems Audit and Control Association (ISACA) would be my first
choice. The Information
Systems Security Association (ISSA) and InfraGard are solid organizations as well. Actively participate in
a wide variety of InfoSec groups/lists and create your
own portfolio web site.
II. Become Certified
Increase your knowledge and experience through the pursuit of certifications. Seek out
your blind spots and work to eliminate them. Do not cram to pass a certification exam.
Your peers and management will see past the paper. Instead, work hard to learn the
material and earn the certification. Focus on techniques to implement and maintain a
comprehensive InfoSec program.
There are two basic types of certifications, management and technical. I recommend
starting with the CISSP. It is the leading InfoSec certification. The
(ISC)2 Associate program permits applicants to take the CISSP exam while lacking the
years of experience required to earn the certification. From there, associates go
into a holding pattern until they meet the experience requirements.
Through studying for the CISSP, you will cover the breadth of the InfoSec career field
and discover weaknesses in your skill set. The CISM is a similar certification. Consider it as well. From there,
I suggest gaining experience and certification in a firewall. Following this path, you
will have gained a management certification ("a mile wide and an inch deep") and have
proven your technical abilities through hands on experience.
SANS maintains solid technical
security certifications. Commercial organizations provide certifications for their
respective software and operating systems. After obtaining the CISSP and a solid
technical certification, take the CISA. It is a well respected IT audit certification.
III. Take Control
The path of an InfoSec professional is one of discovery (the journey, not the
destination). Over time your needs and opinions will change with your discoveries, your
job and developments within technology and the career field.
At this point, you will begin to morph into a specialized professional. Consider areas
of interest to you and the demand for people with those skills in the market (e.g.
operational risk, business continuity and fraud).
IV. Career Path Diagram
In the example above, the professional starts by working as a system administrator and
transitions into an information security engineer position. After five years of
experience, he passes the CISSP
exam. Operational risk and internal audit positions follow, along with associated
certifications (CRISC and CISA, respectively).
At this point, our professional has gained the experience required to earn a management
position and the CISM. He
decides to continue to round out his skill set with privacy experience and the CIPP certification.
In this scenario, our professional has gained experience in the InfoSec career field and
has many options open to him. He can move into management, transition into business
operations, leave for another organization or enter into independent consulting.
The specific career path does not matter. Some may choose a different path, gaining
expertise in forensics and penetration testing for example. The point is to distinguish
yourself from the competition, take control and enjoy your career.
Throughout your career you will always be siloed in one job or another. The best advice
I can give is read, read, read. Read many articles per week. That helps to maintain skill
set, to learn new techniques and to keep up with developments in the information security
career field. My twitter feed is http://twitter.com/gideonras, in case you are interested. You can also access it by
RSS feed and E-mail.
If you have any questions or comments, do not hesitate to contact me.
Click here for more professional development tips