Many people seek advice for how to become an information security (InfoSec) professional. This page grew out of e-mail to them and continues to change over time.

The InfoSec career field is broad and requires technical expertise. Accordingly, an InfoSec professional must develop breadth and depth throughout the information security domain (e.g. in physical security, business continuity and legal matters).

I. Obtain Practical Experience

Establish a foundation as a technologist first. A solid understanding of administration and networking is a good start. Learn how to harden common operating systems and develop an understanding of hacking techniques. The U.S. military is a great place to gain InfoSec experience. They were focused on security long before it became in vogue.

The next logical step is to join the local chapter of a security organization. The Information Systems Audit and Control Association (ISACA) would be my first choice. The Information Systems Security Association (ISSA) and InfraGard are solid organizations as well. Actively participate in a wide variety of InfoSec groups/lists and create your own portfolio web site.

II. Become Certified

Increase your knowledge and experience through the pursuit of certifications. Seek out your blind spots and work to eliminate them. Do not cram to pass a certification exam. Your peers and management will see past the paper. Instead, work hard to learn the material and earn the certification. Focus on techniques to implement and maintain a comprehensive InfoSec program.

There are two basic types of certifications, management and technical. I recommend starting with the CISSP. It is the leading InfoSec certification. The (ISC)2 Associate program permits applicants to take the CISSP exam while lacking the years of experience required to earn the certification. From there, associates go into a holding pattern until they meet the experience requirements.

Through studying for the CISSP, you will cover the breadth of the InfoSec career field and discover weaknesses in your skill set. The CISM is a similar certification. Consider it as well. From there, I suggest gaining experience and certification in a firewall. Following this path, you will have gained a management certification ("a mile wide and an inch deep") and have proven your technical abilities through hands on experience. SANS maintains solid technical security certifications. Commercial organizations provide certifications for their respective software and operating systems. After obtaining the CISSP and a solid technical certification, take the CISA. It is a well respected IT audit certification.

III. Take Control

The path of an InfoSec professional is one of discovery (the journey, not the destination). Over time your needs and opinions will change with your discoveries, your job and developments within technology and the career field.

At this point, you will begin to morph into a specialized professional. Consider areas of interest to you and the demand for people with those skills in the market (e.g. operational risk, business continuity and fraud).

IV. Career Path Diagram

In the example above, the professional starts by working as a system administrator and transitions into an information security engineer position. After five years of experience, he passes the CISSP exam. Operational risk and internal audit positions follow, along with associated certifications (CRISC and CISA, respectively).

At this point, our professional has gained the experience required to earn a management position and the CISM. He decides to continue to round out his skill set with privacy experience and the CIPP certification.

In this scenario, our professional has gained experience in the InfoSec career field and has many options open to him. He can move into management, transition into business operations, leave for another organization or enter into independent consulting.

The specific career path does not matter. Some may choose a different path, gaining expertise in forensics and penetration testing for example. The point is to distinguish yourself from the competition, take control and enjoy your career.

Throughout your career you will always be siloed in one job or another. The best advice I can give is read, read, read. Read many articles per week. That helps to maintain skill set, to learn new techniques and to keep up with developments in the information security career field. My twitter feed is, in case you are interested. You can also access it by RSS feed and E-mail.

If you have any questions or comments, do not hesitate to contact me.

Kind regards,


Click here for more professional development tips