Gideon T. Rasmussen, CISSP, CISA, CISM, CIPP
Professional
Projects
Documents
Pictures
Web Site
 
INFORMATION SECURITY PROFESSIONAL

Many people seek advice for how to become an information security (INFOSEC) professional. This page grew out of e-mail to them and continues to change over time.

The INFOSEC career field is broad and requires technical expertise. Accordingly, an INFOSEC professional must develop breadth and depth throughout the information security domain (e.g. in physical security, business continuity and legal matters).

I. Obtain Practical Experience

Establish a foundation as a technologist first. A solid understanding of administration and networking is a good start. Learn how to harden common operating systems and develop an understanding of hacking techniques. The U.S. military is a great place to gain INFOSEC experience. They were focused on security long before it became in vogue.

The next logical step is to join the local chapter of a security organization. The Information Systems Security Association (ISSA) would be my first choice. The Information Systems Audit and Control Association (ISACA) and Infragard are solid organizations as well. Actively participate in a wide variety of INFOSEC groups/lists and create your own professional web site.

II. Become Certified

Increase your knowledge and experience through the pursuit of certifications. Seek out your blind spots and work to eliminate them. Do not cram to pass a certification exam. Your peers and management will see past the paper. Instead, work hard to learn the material and earn the certification. Focus on techniques to implement and maintain a comprehensive INFOSEC program.

There are two basic types of certifications, management and technical. I recommend starting with the CISSP. It is the leading INFOSEC management certification. The (ISC)2 Associate program permits applicants to take the CISSP exam while lacking the years of experience required to earn the certification. From there, associates go into a holding pattern until they meet the experience requirements.

Through studying for the CISSP, you will cover the breadth of the INFOSEC career field and discover weaknesses in your skill set. The CISM is a similar certification. Consider it as well. From there, I suggest gaining experience and certification in a firewall. Following this path, you will have gained a management certification ("a mile wide and an inch deep") and have proven your technical abilities through hands on experience. SANS maintains solid technical security certifications. Commercial organizations provide certifications for their respective software and operating systems. After obtaining the CISSP and a solid technical certification, take the CISA. It is a well respected IT audit certification.

III. Take Control

The path of an INFOSEC professional is one of discovery (the journey, not the destination). Over time your needs and opinions will change with your discoveries, your job and developments within technology and the career field.

At this point, you will begin to morph into a specialized professional. Consider areas of interest to you and the demand for people with those skills in the market (e.g. operational risk, business continuity and fraud).

IV. Career Path Diagram



In the example above, the professional starts by working as a system administrator and transitions into an information security engineer position. After five years of experience, he passes the CISSP and CISM exams. Next, he moves to an information security auditing role and earns the CISA designation.

At this point, our professional has gained the experience required to earn a management position. Instead, he decides to continue to round out his experience in the information security career field. Information privacy and operational risk positions follow, along with associated certifications (CIPP and CRP, respectively).

In this scenario, our professional has gained experience in the INFOSEC career field and has many options open to him. He can move into management, transition into business operations, leave for another organization or enter into independent consulting.

The specific career path does not matter. Some may choose a different path, gaining expertise in forensics and penetration testing for example. The point is to distinguish yourself from the competition, take control and enjoy your career. If you have any questions or comments, please do not hesitate to contact me.

Gideon

   


Copyright © 2002 - 2008 Gideon T. Rasmussen All Rights Reserved.
Legal Notices