Ask the Expert: Changing Careers to Infosec
I was wondering if you could help with a problem I face with some of my classmates. Several of us ended up in dead end careers resulting from recent economic conditions and layoffs.
We don’t have IT backgrounds, but wanted to start new careers in Network or Information Security because we learned that these are areas of growth and demand for workers is high in these areas.
I have a law background working as a software licensing attorney negotiating technology contracts, but that’s the extent of my know-how. There are several technical schools that all offer the program du jour—Network Security or Information Security. I’m currently enrolled in one such program spread out over 22 months of evening classes twice a week for over $17K and I’ve a horrid feeling that despite their representations, I’ll be left with a “diploma” that is useless for finding a job other than that of security guard.
Are there programs that you would recommend or things that you think those looking to transition into a carrier in the information security field should look for in a credible program? Any information you could provide would be helpful. For instance, I don’t know if a Master’s program is a good route, or simply trying to obtain certificates such as CISSP. Are technical schools a better idea than an undergraduate degree in computer science?
Or is it better to find a help desk job and work ones way up? In other words, how might those in mid career start over in an IT field? Is it possible? I’m beginning to wonder if this is all fantasy. Thank you.
I agree wholeheartedly that you should be wary of expensive infosec training programs making egregious claims about their placement rates, job opportunities, and so forth. I’m also a bit concerned that they appear to suggest, despite a lack of prior work experience and knowledge in their charges, that their training alone will be enough to put you in a job in network or information security. The brute facts of the matter are that most full-time professional infosec workers have 5 or more years of work experience–most commonly as system or network administrators–before they begin working their way into the field of information security. Most employers are savvy enough to know that on the job experience is an essential ingredient in anyone in whom they choose to confide their trust in maintaining security for their systems, networks, and businesses.
Thus, I also approve of your thoughts to pursue a Master’s degree because meeting such a program’s background requirements to assure acceptance, then completing its curriculum, will probably take you 3-4 years. During the same time, I’d urge you to seek out at least part-time work (perhaps even at the academic institution where you’d pursue such a degree plan) in IT to help prepare yourself for work in the field post graduation. In fact, bachelor’s degrees in infosec are now also becoming available and might make sense for some of your colleagues (though for yourself, whom I presume has both a bachelor’s and a JD or LLD, this probably isn’t necessary).
To learn more about programs, visit Google or your favorite search engine and do some poking about. For example, though I got no direct hits in the search window there for “information security masters degree” I did provoke a rash of advertisements in the right-hand side of the window from the University of Fairfax, Knowledge Systems Institute, Capella University, the University of Phoenix, and James Madison University, all of which offer such programs. I also happen to know that most of the top 20 computer science schools–Stanford, MIT, Carnegie-Mellon, Purdue, the University of Texas at Austin, and so forth–also permit grad students to specialize in infosec for master’s degrees as well, when they don’t offer outright degrees in the subject matter.
My advice, given your background and experience, would be to go first for an advanced degree while also working at least part time in IT. You can’t qualify for CISSP based on its experience requirements–three years of full-time infosec working experience with a college degree–immediately anyway. But once you meet its experience requirements that certification (or one sufficiently like it to have real value in the marketplace) wil