Dear CertMag: Which certs will help me become an IT security specialist?
Dear CertMag is a weekly feature that addresses common questions about certification and related IT issues. Have a question? Send an e-mail to editor (at) certmag (dot) com.
Dear CertMag: I graduated National Diploma: Information Technology (Support Services) from Nelson Mandela Metropolitan University in South Africa. I am currently working for Eskom as an Assistant Information Security Analyst. I also did the Cisco IT Essentials 1 and 2, CCNA 1, 2 and 3 certificates. I like Information Security a lot, and I would like to be an Information Security specialist. What certifications should I be looking at to move up in the field?
— Ayanda Ngcwabe, Johannesburg, South Africa
One of the interesting challenges in the security field is that of experience: Organizations need technical teams which have specific experience examining audits, or responding to incidents, or owning a policy program, or performing the other activities that take place in the various security roles. At this point in your career, I could not in good conscience recommend a specific certification as being the next step for you, as much as continuing to close the experience gap. The circular question becomes obvious: How do you build security experience when you need experience to get a security role … to build experience?
From the question you ask, you have a leg up over many hoping to carve out a niche as an IT security specialist, in that you have a junior role that aligns to the security aspects of your current organization. The experience challenge becomes a little bit easier. One of my favorite exercises for this kind of career development is a professional development de-composition.
Basically, figure out what your goal is. Is it to be a full security analyst? Would you like to accomplish that in three years? Five? Or maybe you’d like to be a security engineer of some kind, or some other role? Is that at your current work, or at another organization?
Spend some time looking at the role. Can you observe someone who is doing the role today? Is there a job description on the company intranet that you can read to find out what is needed in the role? What about how the person behaves? Do they do things a different way than you? Do they do different kinds of activities than you? Do they interact with different people than you?
If the position that is your goal is external, look for a job posting from companies you would like to work for in that role. The same kinds of things can be listed, though it may not be a complete list — it’s much easier to observe an internal job function than explore an external company listing.
Now start working backwards: Five years from now, I would like to be the Security Guru Level IV at XYZ Corp. To be there, I need certain skills and experiences and conversations and exposures. They are these things (make a list).
To be able to get there in a few years, I need to be prepared to be at a certain point at three years. To have a reasonable chance to grow from where I am to my five-year goal, here is where I need to be in three years. With certain experiences, certain skills, etc. List them out.
To be able to get to that three-year milestone, I need to be at what point in two years?
To be able to get to that two-year milestone, what do I need to do this year?
Use that “this year” guidance to drive your near-term activities and discussions. Can you talk with your manager about building responsibility in these areas? Can you volunteer for side projects or extra efforts at work and invest the time, trading time for exposure to new and other areas?
Solve the experience gap first. There will be plenty of time to worry about formally certifying your security credentials and experience after you have a basis upon which to demonstrate capability to future employers.