Charting a Security Career Path
For many years, one of the hottest areas in IT has been information security. For those who wish to enter this field, determining the best path to take can be quite difficult. The right path will vary from person to person, but some tips can help make the task a little easier.
The first step to choosing a security career path is to determine the area of information security to pursue. Do you want to focus on securing code, or is your interest more in forensics? Or would you rather perform security audits of networks? Perhaps you want be a security researcher and find flaws in various products. No matter what the choice, a few suggestions can be helpful.
As a start, certifications can be a great help, especially security certs — not only can you learn more about information security, but with the right certifications, you also can help validate your knowledge of the field. Care should be taken when choosing which certifications to pursue, however.
As a start, those interested in security should pursue certifications that will help them gain general IT skills. Network certifications such as Network+ from the Computing Technology Industry Association (CompTIA) and the Cisco Certified Network Associate (CCNA) will help provide a good foundation of general network knowledge on which to build the security skills.
In addition to network certifications, for those who wish to work with Windows systems, the Microsoft Certified Systems Engineer (MCSE): Security can be very useful. For general security practitioners, a good entry-level certification is the CompTIA Security+ certification. It provides the basic knowledge you need for securing a network, and it is slowly gaining in popularity and recognition.
Perhaps the most recognized certification for general security practitioners is the Certified Information Systems Security Professional (CISSP) from the International Information Systems Security Certification Consortium [(ISC)2], a group industry leaders created in 1989. This certification requires candidates not only demonstrate knowledge of 10 areas of information security (aka domains) but also document at least four years of security experience.
A thorough understanding of each of these domains is not required, so this is a good certification for anyone interested in the security field, and even if you wish to specialize in a certain aspect, the wide range of knowledge is beneficial.
For those interested in general security certifications and also for more-specific security certifications, SANS offers many highly regarded certifications for both types. Certifications such as the GIAC Security Essentials Certification (GSEC) are good for representing broad security knowledge, and more-specialized certs such as the GIAC Certified Firewall Analyst (GCFW), GIAC Certified Forensics Analyst (GCFA) and GIAC .Net (GNET) provide more details coverage for precise areas of information security.
The Information Systems Audit and Control Association (ISACA) offers training and certifications for those interested in auditing. Its Certified Information Systems Auditor (CISA) certification was created in 1978 and continues to be a respected and popular certification for auditors.
More recently, ISACA created the Certified Information Security Manager (CISM), a certification for those interested in managing and overseeing enterprise-level information security.
Another important aspect of entering the security field is experience. The majority of people do not have the opportunity to enter the security field directly — they start as systems administrators or programmers, gain experience and knowledge and then move into a full-time security position. This experience helps provide the necessary background and skills to succeed in information security.
Perhaps the most important aspect of a path in the information security field is a degree in a computer-related field such as computer science or management information sciences (MIS). A more recent trend is a degree in information security or information assurance. Many colleges and universities have started offering such degrees, including some online universities.